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KSOS  Kernel  Verification  Results 


\  1.  Introduction 

\  . 

"\he  original  KSOS  verification  goals  were  the  following: 

1.  The  instantiation  of  the  multilevel  security  model  to  SPECIAL/ 

2.  The  design  and  development  of  a  computer  tool  (the  MLS  formula  generator) 
whose  input  would  be  SPECIAL  specifications,  and  whose  output  would  be 
conjectures,  the  proof  of  which  would  imply  that  the  specifications  do 
not  contain  any  violations  of  the  multilevel  security  model/ 

3.  The  proofs  that  the  specifications  for  the  KSOS  security  perimeter  (Ker¬ 
nel  and  NKSK)  conform  to  the  security  model.  In  the  event  of  violations, 
the  proof  process  should  pinpoint  the  violations  so  that  they  may  be 
eliminated  or  bandwidth-limited,' 

4.  The  development  of  support  tools  so  that  illustrative  code  proofs  could 
be  carried  out.  The  goal  of  these  code  proofs  is  to  demonstrate  the 
feasibility  of  performing  full  code  proofs  at  a  later  dat%, 

5.  The  carrying  out  of  illustrative  code  proofs.  - 

KSOS  has  succeeded  in  instantiating  the  multilevel  security  model  to  SPECIAL 
and  developing  the  MLS  formula  generator,  in  producing  proofs  of  the  kernel 
specifications,  in  producing  prototype  support  tools  that  could  be  used  in 
code  proofs,  in  producing  a  code  proof  for  a  version  of  the  SMXflow  module, 
and  in  producing  some  mapping  functions  (manually)  showing  the  correspondence 
of  VFUNS  to  Modula  structures  for  certain  kernel  modules Due  to  a  variety  of 
organizational  and  technical  factors  indicated  below,  KSO$\has  been  less  than 
successful  in  producing  specification  proofs  for  the  NKSR, \jLn  producing 
human-engineered,  fully  documented  support  tools  for  code  proofs,  and  in  pro¬ 
ducing  code  proofs  other  than  for  simplified  modules. 
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2.  KSOS  Verification  Achievments 

This  section  provides  details  of  the  achievements  mentioned  above,  and 
Indicates  their  benefits. 

2.1  The  MLS  Formula  Generator 


The  instantiation  of  the  MLS  model  to  SPECIAL,  and  a  description  of  the 
MLS  formula  generator  are  found  in  the  report  "A  Technique  for  Proving  Specif¬ 
ications  are  Multilevel  Secure",  SRI  CSL-109,  January  1980.  Although  this 
tool  has  limitations,  as  mentioned  below,  the  concept  upon  which  it  is  based 
represents  an  important  breakthrough  in  verifying  security  properties  of  sys¬ 
tems.  Its  main  virtue  is  that  the  designer  of  a  system  need  only  supply  the 
specifications  of  the  system  as  input;  in  contrast  to  other  verification  sys¬ 
tems  (e.g.,  INA  JO),  it  is  not  necessary  to  supply  additional  assertions. 
Several  current  limitations  and  areas  for  improvement  arc  mentioned  in  the 
above-cited  report:  a  variety  of  restrictions  of  SPECIAL  are  imposed  on  the 
designer;  the  semantics  of  SPECIAL  is  defined  only  within  the  code  for  the 
formula  generator  and  in  the  definitions  and  axioms  of  the  theorem  prover;  the 
human  interface  is  clumsy  and  provides  little  help  in  analyzing  the  output; 
and  it  is  largely  ad-hoc  in  construction  and  behavior  creating  the  possibility 
of  failed  proofs  that  should  succeed  and  unsound  proofs  in  the  face  of  secu¬ 
rity  flaws.  In  addition  to  this  list,  we  have  noted  in  our  utilization  of 
the  tool  that  a  large  majority  of  formulas  that  are  sent  to  the  theorem  prover 
are  not  much  more  complex  than  x  <-  x,  which  might  be  filtered  out  by  a  more 
powerful  simplifier. 

2.2  Proof  of  the  Kernel  Specifications 

Between  November  1979  and  February  1980  there  was  intensive  activity  sub¬ 
jecting  the  kernel  specification  to  analysis  using  the  MLS  and  Theorem  Proving 
tools.  The  specifications  for  all  34  top  level  kernel  calls,  and  their  sup¬ 
porting  specifications,  were  processed.  Space  limitations  prevented  the 
entire  kernel  from  being  processed  in  a  single  run,  so  the  kernel  specifica¬ 
tions  were  broken  into  5  modules.  It  is  significant  that  the  modularity  of 
the  kernel  specifications  permitted  such  a  decomposition  after  the  fact. 

In  the  first  run,  24  November  1979,  a  total  of  1654  formulas  were  gen¬ 
erated  by  MLS.  755  of  these  were  sufficiently  trivial  so  that  the  MLS  tool 
was  able  to  deduce  their  validity  without  passing  them  on  to  the  Theorem 
Prover.  Of  the  remaining  899  formulas,  586  were  proved  by  the  Theorem  Prover, 
and  313  were  unproved.  In  the  final  run,  5  February  1980,  the  figures  were: 
1598  formulas  generated,  867  proved  trivially  by  MLS,  416  proved  by  Theorem 
Prover,  and  315  unproved.  Detailed  charts  showing  the  statistics  for  each 
kernel  call  are  presented  below.  These  specifications  are  included  as  Appen¬ 
dix  A. 


In  the  remainder  of  this  section,  we  will  discuss  the  significance  of 
these  numbers,  and  the  effect  that  the  .'uns  had  on  subsequent  modifications  to 
the  specifications.  There  is  no  significant  correlation  between  the  number  of 
unproved  conjectures  and  the  degree  to  which  the  specifications  contain  secu¬ 
rity  violations.  This  is  because  a  subtle  and  deep  violation  of  the  security 
model  may  generate  a  small  number  of  conjectures,  whereas  a  simple  and  easily 
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repairable  violation  may  generate  many  unproved  conjectures.  Nonetheless, 
the  totality  of  unproved  conjectures  is  significant  in  that  it  maps  onto  the 
totality  of  violations  of  the  model. 

The  first  several  runs  pinpointed  problems  in  the  MLS  tool  itself  and  in 
the  style  of  writing  specifications.  The  MLS  tool  was  unable  to  handle 
resource  errors,  renaming,  and  produced  numerous  duplicate  formulas  to  be  sent 
to  the  Theorem  Prover.  In  terms  of  specification  writing  style,  the  tool  had 
trouble  with  EFFECTS_OF  clauses,  with  ordering  of  exceptions,  and  (somewhat  to 
our  amazement)  with  treating  logically  equivalent  boolean  expressions 
equivalently  (e.g.  AND  and  OR  are  treated  nonsymmetrically ,  with  the  result 
that  DeMorgan's  laws  do  not  apply  as  far  as  the  MLS  tool  is  concerned). 
Therefore  phase  1  of  our  efforts  dealt  with  rewriting  the  specifications  to 
work  around  these  problems,  and  with  the  correction  of  certain  difficulties 
with  the  MLS  tool. 

The  next  phase  of  our  Involvement  with  Che  specifications  dealt  with 
adding  knowledge  that  the  Theorem  Prover  would  need  to  prove  some  of  the 
unproved  conjectures.  For  example,  various  security  properties  hold  for  open 
files,  because  such  properties  were  checked  at  the  time  the  file  was  opened, 
and  no  security  changes  were  made  since  then.  Such  information  was  added  in 
the  form  of  axioms  (or  unproved  lemmas),  which  allowed  some  of  the  unproved 
conjectures  to  be  proved.  However,  extreme  caution  is  needed  in  adding  axioms 
(i)  to  avoid  adding  inconsistencies  (in  which  case  every  conjecture  is  prov¬ 
able,  due  to  Che  interesting  property  of  logical  implication,  that  an  incon¬ 
sistency  implies  FALSE,  and  FALSE  implies  anything),  and  (ii)  to  avoid  adding 
consistent  but  unwarranted  axioms.  It  is  very  unlikely  that  an  inconsistency 
would  be  added  that  would  not  be  detected  subsequently  by  human  analysis.  For 
several  runs,  however,  there  were  some  unwarranted  axioms  to  the  effect  that 
an  object  can  only  access  objects  at  the  same  security  level  (such  a  system  is 
known  as  "stratified").  As  a  result,  several  conjectures  were  proven  which 
should  not  have  been. 

Thus,  the  discussion  has  focused  on  experiences  with  the  tools  them¬ 
selves,  and  with  adding  supplemental  knowledge  in  the  form  of  axioms.  The 
analysis  of  the  unproved  conjectures  is  also  significant.  We  categorized  the 
reasons  for  failing  to  prove  a  conjecture  into  the  following: 

*  resource  error  (representing  a  potential  channel,  based  on  resource  util¬ 
ization  patterns,  which  may  be  bandwidth-limited  by  the  introduction  of 
random  delays  in  the  implementation,  rather  than  eliminated); 

&  errors  that  can  be  fixed  by  redesigning  the  kernel; 

*  errors  that  are  allowed  to  remain  because  there  is  no  way  for  illicit 
information  to  leak  beyond  the  security  perimeter  (including  deliberate 
violations  in  the  trusted  software,  needed  to  achieve  desired  functional¬ 
ity,  as  well  as  violations  to  hidden  VFUNS); 

*  and  valid  formulas  which  the  theorem  prover  could  not  prove. 

We  have  analyzed  every  error  detected  by  the  tools,  and  taken  appropriate 
action.  However,  the  funding  for  continued  utilization  of  the  tools  on  live 
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specifications  was  depleted  before  the  final  version  of  the  specifications  was 
produced.  Thus,  potentially,  there  are  violations  in  the  final  version  of  the 
specifications  that  should  be  fixed. 

Next  are  presented  detailed  charts  showing  the  statistics  for  each  of  the 
34  kernel  calls  in  terms  of  number  of  formulas  generated  (FOR),  trivially 
proved  (TRV),  proved  by  Theorem  Prover  (THM),  and  unproved  (UNP).  Following 
these  charts,  the  next  several  subsections  deal  with  a  more  detailed  analysis 
of  the  changes  made  to  the  specifications  as  a  result  of  analyzing  the  output 
of  the  tools. 
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11/19/79  Status  of  KSOS  Specifications 


FOR 

TRV 

THM 

UNP 

(KER1) 

K  FORK 

158 

39 

18 

101 

K  GET  PROCESS  STATUS 

2 

0 

2 

0 

K  INTERRUPT  RETURN 

9 

9 

0 

0 

K  INVOKE 

61 

42 

19 

0 

K  NAP 

0 

0 

0 

0 

K  POST 

10 

6 

4 

0 

K“ RECEIVE 

7 

7 

0 

0 

K  RELEASE  PROCESS 

49 

18 

9 

22 

K  SET  PROCESS  STATUS 

6 

4 

2 

0 

K  SIGNAL 

6 

2 

4 

0 

K  SPAWN 

149 

50 

31 

68 

K_W ALK_PROCE  S  S_T  ABLE 

2 

2 

0 

0 

(KER2) 

K  CLOSE 

29 

11 

15 

3 

K  CREATE 

29 

10 

1 

18 

K  GET  FILE  STATUS 

28 

0 

6 

22 

K  LINK 

30 

3 

3 

24 

K  MOUNT 

66 

28 

28 

10 

K  OPEN 

90 

18 

1 

71 

K  SECURE  TERMINAL  LOCK 

7 

4 

0 

3 

K  SET  FILE  STATUS 

81 

15 

15 

51 

K  UNLINK 

59 

3 

4 

52 

KJJNMOUNT 

79 

22 

19 

38 

(KER3) 

K  DEVICE  FUNCTION 

100 

49 

51 

0 

K  SPECIAL  FUNCTION 

3 

2 

1 

0 

K_WRITE_BLOCK 

211 

97 

114 

0 

(KER4) 

K  BUILD  SEGMENT 

39 

22 

3 

14 

K  GET  OBJECT  LEVEL 

2 

0 

2 

0 

K  GET  SEGMENT  STATUS 

3 

0 

3 

0 

K  RELEASE  SEGMENT 

30 

15 

15 

0 

K  REMAP 

82 

55 

27 

0 

K  RENDEZVOUS  SEGMENT 

49 

28 

3 

18 

K  SET  OBJECT  LEVEL 

11 

5 

0 

6 

K_SET_SEGMENT_STATUS 

31 

16 

15 

0 

(KER5) 

K_READ_BLOCK 

309 

161 

148 

0 

TOTAL 

1827 

743 

563 

521 
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2/12/80  Status  of  KSOS  Specifications 

(The  total  of  the  last  three  columns  may  be  less  than  the  first 
column,  due  to  the  formula  generator  eliminating  duplicate 
formulas. ) 


FOR 

TRV 

THM 

UNP 

(KER1 ) 

K  FORK 

177 

96 

0 

34 

K  GET  PROCESS  STATUS 

2 

0 

2 

0 

K  INTERRUPT  RETURN 

9 

9 

0 

0 

K  INVOKE 

61 

42 

11 

1 

K  NAP 

0 

0 

0 

0 

K  POST 

8 

6 

1 

1 

K  RECEIVE 

7 

7 

0 

0 

K  RELEASE  PROCESS 

74 

19 

5 

13 

K  SET  PROCESS  STATUS 

6 

4 

2 

0 

K  SIGNAL 

6 

2 

3 

0 

K  SPAWN 

149 

88 

11 

16 

K_WALK_PROCESS_TABLE 

2 

2 

0 

0 

(KER2) 

K  CLOSE 

48 

23 

0 

3 

K  CREATE 

26 

12 

1 

6 

K  GET  FILE  STATUS 

7 

0 

3 

0 

K  LINK 

15 

11 

2 

1 

K  MOUNT 

64 

23 

6 

17 

K  OPEN 

48 

27 

8 

4 

K  SECURE  TERMINAL  LOCK 

7 

4 

0 

2 

K  SET  FILE  STATUS 

36 

16 

10 

1 

K  UNLINK 

26 

19 

3 

1 

KJJNMOUNT 

79 

35 

6 

17 

(KER3) 

K  DEVICE  FUNCTION 

45 

13 

32 

0 

K  SPECIAL  FUNCTION 

3 

2 

1 

0 

K_WRITE_BLOCK 

211 

111 

100 

0 

(KER4) 

K  BUILD  SEGMENT 

43 

33 

'  3 

3 

K  GET  OBJECT  LEVEL 

2 

0 

2 

0 

K  GET  SEGMENT  STATUS 

3 

0 

2 

0 

K_RELEASE_SEGM£NT 

38 

17 

0 

6 

K  REMAP 

50 

34 

9 

7 

K  RENDEZVOUS  SEGMENT 

48 

28 

12 

1 

K  SET  OBJECT~LEVEL 

11 

7 

0 

4 

K_SET_SEGMENT_STATUS 

31 

16 

8 

0 

(KER5)  ' 

K_READ_BLOCK 

254 

160 

94 

0 

TOTAL 

159o 

867 

337 

138 
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2.2.1  Analysis  of  the  Specification  Proofs 

The  value  of  using  an  automatic  tool  for  checking  conformance  with  a  for¬ 
mal  model  of  security,  rather  than  relying  on  careful  scrutiny  by  teams  of 
humans,  became  obvious  when  the  tool  detected  numerous  "errors"  that  had  gone 
undetected  throughout  several  iterations  of  human  inspection  by  the  Contrac¬ 
tor,  Subcontractor,  and  Customer.  Analysis  of  these  errors  lead  to  the  fol¬ 
lowing  three  categorizations: 

1.  errors  that  could  be  removed  by  providing  additional  information  or  by 
syntactically  reformulating  the  specifications; 

2.  errors  that  represent  formal,  but  not  "real",  violations  of  the  model; 

3.  errors  that  represent  implicit  channels,  that  cannot  be  removed  without 
destroying  needed  KSOS  functionality,  but  which  can  be  bandwidth-limited; 

4.  and  errors  that  represented  wide-open  security  violations  (there  were  nc 
violations  in  this  category). 

Examples  of  errors  that  could  be  removed  by  adding  or  reformulating  EXCEPTIONS 
are  found  in  PROpost,  PROreleastProcess ,  P&OsetprocessStatus,  and  FCAopen. 
Security  violations  existed  in  the  original  versions  of  the  PRO  specifications 
because  a  process  could  determine  the  (non)existence  of  another  process  at  a 
higher  level  by  means  of  an  EXCEPTION  value.  In  FCAopen,  an  error  existed  in 
the  original  specifications  when  a  process  tried  to  open  a  file  at  a  higher 
level  for  writing  (since  file  status  information  also  had  to  be  read  by  the 
process).  The  solution  was  to  disallow  a  process  from  opening  a  file  at  a 
higher  level. 

An  example  of  a  violation  that  could  be  removed  by  kernel  redesign  was  in 
the  subtype  mechanism.  In  FCA,  a  global  assertion  was  needed  stating  that  if 
a  process  p  can  read  or  write  a  file  f,  then  p  can  read  the  subtype  associated 
with  f.  Thus,  the  level  of  a  file  is  greater  than  or  equal  to  the  level  of 
its  associated  subtype.  In  the  original  design  of  subtypes,  there  was  also 
the  rule  that  to  write  on  file  f,  a  process  p  must  be  able  to  write  on  the 
subtype  associated  with  f.  All  the  previous  facts,  however,  imply  that  for 
any  subtype  x,  all  files  associated  with  x  must  be  at  the  same  level  as  x. 

This  is  unacceptable  in  the  case  of  directories,  since  users  at  different  lev¬ 
els  create  directories.  The  solution  was  to  change  the  above  rule  so  that  to 
write  on  file  f,  process  p  must  be  able  to  execute  (not  write)  the  subtype 
associated  with  f. 

An  example  of  a  formal,  but  not  "real",  security  violation  is  a  read 
reference  to  the  openCount  field  of  FCAinfo,  as  occurs  in  FCAclose.  Ostensi¬ 
bly  this  read  reference  is  a  security  violation;  however,  the  only  knowledge 
gained  is  whether  or  not  its  value  is  1,  and  if  so,  the  file  is  deleted 
immediately. 

2.2.2  Additional  Lessons  Learned  from  the  Kernel  Specification  Proofs 

In  addition  to  the  direct  analysis  of  the  output  of  the  specification 
proofs,  certain  principles  emerged  which  have  provided  useful  guidelines  in 
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writing  specifications,  and  which,  in  the  future,  may  be  worthwhile  to  incor¬ 
porate  in  tools.  Two  such  principles  we  have  named  the  "setup  principle"  and 
the  "transition  principle". 

2.2.2. 1  The  Setup  Principle 

The  Setup  Principle  states:  "If  process  p  can  access  object  o  at  time  t, 
and  no  security-related  changes  occur  to  p  or  o  between  t  and  current  time  t', 
then  p  can  access  o  at  t'  without  rechecking  access  rights".  Applications  of 
this  principle  are:  putting  a  file  into  the  open  descriptor  table;  and  put¬ 
ting  a  segment  into  an  address  space.  Utilizing  the  principle  in  a  proof 
would  involve  the  restriction  of  tranquility  violations  to  trusted  software, 
and  proving  that  trusted  software  did  not  make  undesirable  security-related 
changes. 


2. 2. 2. 2  The  Transition  Principle 

The  Transition  Principle  states  that  "For  finite,  reusable  objects  (e.g., 
Seids,  openDescriptors) ,  tranquility  violations  are  acceptable  if  they  conform 
to  the  following  transition  rules: 

1.  in  making  transitions  from  a  defined  to  an  undefined  state  for  an  object 
o,  all  VFUNS  whose  security  level  is  a  function  of  o  also  become  unde¬ 
fined  at  the  same  time  (VFUNS  such  as  SENseidNSP,  whose  security  level  is 
always  system  low,  are  thus  excluded  from  this  rule); 

2.  A  new  object  comes  into  existence  only  from  the  undefined  state." 

2.3  Prototype  Tools  for  Specification  and  Code  Proofs 

This  section  includes  three  figures  showing  the  organization  of  the  HDM 
tools-,  the  organization  of  the  MLS  proof  tools,  and  the  organization  of  the 
code  proof  process  (including  a  summary  and  some  additional  notes).  These 
diagrams  reflect  the  status  of  the  subcontractor's  efforts  at  the  conclusion 
of  their  participation  in  KSOS  methodological  tool  development,  circa  the 
first  quarter  of  1980. 


December  198C 


-  8  - 


WDL-TR9001 


KSQS  Kernel  Verification  Results 


Figure  1 

ORGANIZATION  OF  THE  HDM  TOOLS 


Specifications 


Mappings 


I  MODULE  |  |  REPRESENTATION  | 

I  CHECKER  |  |  CHECKER  1 

:  (Robinson  et  al.)  : 


Programs 


- V - 1 

CODE  | 

HANDLER  | 


Checked 

specs 


Specs  for  : 
upper  and  : 
lower  levels : 


MLS  FORMULA  | 
GENERATOR  | 
(Feiertag)  | 
For  Spec  Proofs | 

: Would-be 
: theorems 


and  :  :  .  Interface  and  : 

vels:  :  :  hierarchy 

| - V - V - V - 1  descriptions  : 

|  INTERFACE  &  j  : 

|  HIERARCHY  |  : 

|  CHECKER  < - ' 

|  For  Code  Proofs  |  Merge  mappings  into  code 


Modula , 
Pascal 
handlers 
exist 


Upper&:  :Cod 

lower:  :plu 
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Figure  2 
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2.3.1  Summary  of  Tools  and  Manual  Steps 

1.  It  is  necessary  before  beginning  the  proof  process  that  the  specifica¬ 
tions,  mappings,  and  code  conform  to  each  other.  Ideally  this  step  is 
not  an  enormous  undertaking  if  things  are  done  consistently  throughout. 
Problems  that  must  be  dealt  with  include  various  difficulties  with  excep¬ 
tions,  conflicting  effects  in  multiple  EFFECTS  OF,  naming  differences, 
different  return  argument  conventions,  etc.  Special  effort  must  also  be 
devoted  to  handling  sets  and  structures,  and  certain  auxiliary  VFUNs  must 
also  be  introduced. 

It  should  also  be  noted  that  this  process  is  an  iterative  process.  One 
of  the  most  important  aspects  of  this  approach  is  that  it  detects  incon¬ 
sistencies.  Thus  each  problem  that  is  detected  requires  recycling 
through  the  appropriate  paths  in  the  figure. 

2.  MODULE  CHECKER  and  MAPPING  CHECKER  are  the  HDM  tools  that  check  syntactic 
consistency.  They  have  been  working  for  four  years,  and  are  well  docu¬ 
mented. 

3.  Manual  translation  to  CIS  (Common  Internal  Specification)  and  CIM  (Common 
Internal  Mapping)  removes  all  quantification,  accommodates  structures 
(rewriting  VFUN  references  in  terms  of  SELECT,  UPDATE,  and  MAKESTKUCT), 
expands  nested  macros,  etc. 

4.  "UPDATE"  EXPANDER  translates  CIS  and  CIM  to  the  internal  specification 
form  ( VSSL)  used  by  the  verification  system.  It  removes  all  uses  of 
UPDATE  and  expands  them  to  expressions  in  terms  of  SELECT  only  —  guaran¬ 
teeing  consistent  manipulations  of  structures.  Except  for  the  structure 
representations,  CIS/CIM  and  VSSL  are  identical. 

5.  CODE  TO  PIF  PARSER  parses  the  Modula  code  into  a  parsed  internal  form. 
This  form  is  normally  invisible  to  the  prover. 

6.  PIF  TO  GIF  TRANSLATOR  translates  the  parsed  internal  form  into  the  common 
internal  code  form  used  by  the  verification  system,  using  the  supplied 
(upper-level)  specifications  to  compute  exception  handling  instructions. 
CIF  is  documented  in  the  Boyer-Moore  HDM  document. 

7.  Insertion  of  various  specifications  (for  the  upper-level  SELECT,  [called 
SELECT 1 ] ,  the  lower-level  SELECT,  IS. STRUCTURE,  CLOCKINFO,  and  the  notion 
of  UNDEFINED)  is  required  to  complete  the  specifications. 

8.  The  CIF  must  be  augmented  with  the  mappings,  CLOCKINFO,  at  least  two 
definitions,  an  invariant  (which  may  contain  many  components),  global 
variables  (which  are  optional),  and  an  initialization  program. 

9.  The  VERIFICATION  CONDITION  GENERATOR  takes  upper-  and  lower-level  specif¬ 
ications  and  code  (augmented  with  the  mappings,  etc.,  as  noted  above), 
and  generates  verification  conditions  for  the  Theorem  Prover. 

10.  The  THEOREM  PROVER  takes  verification  conditions  as  would-be  theorems  and 
attempts  to  prove  them.  It  returns  either  TRUE  (along  with  the  proof)  or 
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FAILED  (along  with  its  attempted  proof)  for  each  verification  condition. 

2.3.2  Additional  Notes 

A.  Before  attempting  any  code  proofs,  code  should  have  been  compiled,  run, 
and  tested.  These  steps  are  omitted  from  this  diagram. 

B.  This  path  may  be  traversed  either  manually  or  automatically  (in  the 
latter  case,  with  the  ALLPARSE  function). 

C.  The  output  from  the  C1F  translator  must  be  manually  loaded  from  the 
translator  environment  into  the  Theorem  Prover  environment,  which  are 
disjoint.  However,  this  change  of  environment  could  be  automated. 

D.  At  present  the  Theorem  Prover  must  be  invoked  manually  for  the  given  set 
of  verification  conditions,  although  this  could  easily  be  done  automati¬ 
cally. 

2.3.3  Sample  MLS  Tool  Outputs  and  Their  Interpretation 

In  this  section  we  present  two  sample  outputs  from  the  MLS  tool:  one 
which  fails  to  be  proven  subsequently  by  the  theorem  prover,  and  one  which  is 
subsequently  proven  by  the  theorem  prover. 

2.3.3. 1  A  Failed  Formula 

This  example  is  taken  from  PVMbuild,  and  is  generated  from  the  first 
effect.  The  relevant  definitions  are  the  following: 

DEFINITIONS 

tiiStruct  proTii  IS  Tllinf o(pSeid) ; 
tiiStruct  segTii 

IS  STRUCT ( proTii .nd ,  ...  ); 
seid  newSegSeid 

IS  SOME  seid  s  j  SENseid  Nsp(s)  -  SENseidNsp(exampleSegmentSeid) 

AND  SEGinstancelafo(s)  -  ?; 

EXCEPTIONS 
•  •  • 

EFFECTS 

'TIIinfo( newSegSeid)  »  segTii; 

...; 

The  MLS  tool  generates  the  following  conjecture  from  this  first  effect,  which 
is  then  fed  into  the  theorem  prover: 
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Proving: 

(SMXcompare  pSeid.l  s. 1.1. 1.1) 

Name  the  conjecture  *1. 

Since  there  is  nothing  to  induct  upon,  the  proof  has 
FAILED! 


The  conjecture  is  generated  based  on  the  structural  aspect  of  the  effect, 
namely,  that  writing  is  occuring  into  Tllinfo,  as  evidenced  by  the  syntax  of 
Tllinfo  being  quoted.  Hence,  according  to  the  multilevel  security  model, 
which  allows  writing  to  occur  only  in  an  upward  or  equal  direction  of  security 
level,  the  model  requires  the  source  of  the  write  to  be  less  than  or  equal  to 
the  level  of  'Tllinfo.  The  predicate  "x  is  less  than  or  equal  to  y  in  secu¬ 
rity  level"  is  given  formally  by  "SMXcompare(x,y>."  The  source  of  the  writing 
is  segTii,  which  expands  from  the  above  definitions  to  STRUCT(TIIinfo(pSeid) , 
...).  The  level  of  segTii  is  computed  by  the  MLS  tool  to  be  pSeid,  based  on 
information  fed  to  the  tool  at  the  start  of  the  session  (or  remembered  by  the 
tool  from  a  previous  session).  The  level  of  Tllinfo (newSegSeid)  is  likewise 
computed  by  the  MLS  tool  to  be  s  (from  the  definition  of  newSegSeid).  Hence 
the  model  requires  pSeid  to  be  less  than  or  equal  to  s  in  security  level,  and 
generates  the  conjecture  so  stating. 

The  reason  for  the  arguments  of  the  conjecture  being  named  pSeid. 1  and 
s. 1.1. 1.1  are  due  to  the  internal  workings  of  the  MLS  tool,  which  adds  suffi¬ 
cient  "tails"  to  the  variable  names  to  make  them  all  unique.  The  MLS  tool 
works  in  a  completely  flat  name  space. 

For  the  above  conjecture  to  be  true,  it  is  necessary  to  add  more  informa¬ 
tion,  namely,  that  the  level  of  newSegSeid  is  greater  than  or  equal  to  the 
level  of  pSeid.  This  additional  information  can  be  added  in  a  variety  of 
ways.  One  way  would  be  to  add  a  third  conjunct  to  the  definition  of  newSeg¬ 
Seid.  The  information  could  also  be  added  via  an  exception. 

2. 3. 3. 2  A  Proven  Formula 

Virtually  all  of  the  formulas  generated  by  the  MLS  tool  and  subsequently 
proved  were  simple  in  nature,  requiring  substitution  of  variables,  or  proposi¬ 
tional  logic,  rather  than  complex  inductive  strategies.  The  following  example 
is  typical. 

As  a  first  step,  a  global  assertion  stating  that 
SMXcompare(SEGuseInfo(s,  sd) . instance ,  s)  -  TRUE 

was  added  to  the  semantics  of  the  system,  taken  from  an  assertion  in  the 
specifications.  Universal  quantification  is  understood  with  respect  to  the 
parameters  s  and  sd.  The  internal  form  of  the  assertion  is: 
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-ADD.AXICM(A0013  (REWRITE) 

(IMPLIES  T 

(EQUAL  (SMXcompare 


NIL) 


T)) 


(DOT  (SEGuselnfo  si  sd) 
(QUOTE  instance)) 
si) 


The  following  proof  is  now  presented,  which  uses  the  above  axiom. 

Module:  ker4 

Function:  K_build_segment 

EXCEPTION 

( EXCEPT IONS_OF  (PVMbuild  pSeid  ss  ms  size  vl)) 

Proving: 

(IMPLIES  (EQUAL  use. 1.1. 1.1  (SEGuselnfo  pSeid. 1  s.4.1)) 

(SMXcompare  (DOT  use. 1.1. 1.1  (QUOTE  instance)) 
pSeid. 1)) 

This  formula  simplifies,  rewriting  with  AQ013,  to: 

(TRUE). 

2.4  Code  Proof  for  a  Simplified  Module 

The  Modula  procedure  SMXcompare  was  greatly  simplified  for  the  purpose  of 
pushing  a  code  proof  through  the  tools.  Essentially  all  data  abstractions 
were  removed  from  the  procedure  and  its  associated  specifications,  and  the 
procedure  simply  compared  the  fields  of  the  two  objects  under  consideration 
for  the  appropriate  inequality  or  subset  operation.  Although  very  much  a  toy 
example,  it  was  instructive  to  see  the  trace  of  the  theorem  prover  in  proving 
the  "correctness  of  the  implementation  of  SMXCompareModule  on  PrimitiveMo- 
dule".  The  elapsed  time  was  1.065  seconds,  with  .124  seconds  of  cpu  time 
devoted  to  theorem  proving.  This  code  proof  has  been  included  as  Appendix  B. 

2.5  Manual  Code/Specification  Analysis 

As  part  of  the  efforts  leading  to  the  final  version  of  the  kernel  specif¬ 
ications,  we  spent  approximately  2  man  days  in  manually  comparing  the  code  and 
specifications  for  the  PVM  module.  Our  goal  was  to  get  a  feeling  for  the  dif¬ 
ficulties  in  carrying  out  a  code  proof.  The  first  step  was  to  map  the  types 
between  the  code  and  the  specifications.  Although  there  were  no  conceptual 
difficulties  at  this  step,  a  variety  of  minor  issues  had  to  be  checked.  For 
example,  (segDes)  is  mapped  into  {0..15}.  We  checked  that  no  ordering  pro¬ 
perties  of  the  integers  were  used  at  the  top  level  in  the  code  (where  such 
ordering  properties  would  be  unavailable  at  the  top  level  in  the  specifica¬ 
tions).  It  was  only  in  the  implementation  of  the  FORALL  construct  in  SPECIAL 
that  the  ordering  properties  of  the  integers  were  used.  Another  minor  example 
occurs  in  the  mapping  of  tiiStruct.  Although  the  mapping  is  virtually  the 
identity  mapping,  in  the  specifications,  owner  and  group  are  of  type  INTEGER 
and  in  the  code  they  are  of  type  CARDINAL. 
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The  next  step  was  to  map  the  primitive  VFUNS  into  the  Modula  data 
representations.  There  are  five  primitive  VFUNS  to  be  dealt  with.  Four  of 
them  had  reasonably  clean  mappings.  SEGinUselndexSet,  on  the  other  hand,  had 
no  counterpart  in  the  code.  We  conjectured  that  its  use  in  the  specifications 
was  to  guarantee  unique  seid  generation  in  PVMbuild  and  PVMcopySeg.  In  the 
code,  STMGassignEntry  has  the  property  that  any  seid  generated  is  unequal  to 
the  seid  of  any  existing  segment.  It  was  unclear  how  a  mechanical  code  proof 
would  account  for  this  type  of  correspondence. 

The  next  step  was  to  .nap  the  definitions  between  the  specifications  and 
the  code.  We  noted  details  in  the  code  that  had  no  counterpart  in  the  specif¬ 
ications,  e.g.:  all  virtual  addresses  that  are  base  addresses  for  upward- 
growing  segments  are  multiples  of  64;  no  segment  size  exceeds  2**16  -512;  and 
all  segment  sizes  are  multiples  of  512.  Nevertheless,  there  were  no  major 
conceptual  problems  in  this  mapping. 

The  final  step  was  to  map  the  OFUNs  into  the  Modula  procedures.  Our 
approach  was  to  attempt  "transliterating"  the  OFUNS  into  a  Modula-like 
pseudo-code  by  first  applying  the  previous  mappings  (and  thus  moving  into  a 
"Modula-like  data  space"),  and  then  applying  programmers 's  license  to  convert 
the  nonprocedural  aspects  of  SPECIAL  into  the  standard  sequential  type  of 
Modula  procedure.  Having  done  this,  the  goal  was  then  to  compare  the  result¬ 
ing  pseudo-code  with  actual  Modula  code  to  see  if  we  could  demonstrate 
equivalence.  This  paradigm  went  smoothly  for  the  first  OFUN  we  attempted 
(PVMcreate).  For  the  next  OFUN,  however,  (PVMstore)  we  encountered  conceptual 
obstacles.  In  the  specifications,  one  of  the  parameters  was  VECTOR_OF  INTEGER 
vec;  in  the  code,  however,  there  was  nothing  tangible  corresponding  to  this 
because  vec  represents  data  in  transit  along  i/o  channels  or  the  data  bus. 

To  achieve  a  code  proof  would  have  necessitated  resolving  this  problem,  e.g., 
by  formalizing  appropriate  aspects  of  the  underlying  computer  architecture  and 
incorporating  them  into  the  specifications.  This  was  obviously  undoable  at 
this  late  stage. 
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3.  Non-Achievments 

As  mentioned  earlier,  there  were  various  goals  that  were  not  achieved. 

In  this  section  we  indicate  difficulties  which  made  success  elusive,  and  where 
appropriate,  indicate  things  we  would  do  differently  which  might  lead  to 
greater  success  in  the  future. 

1.  Logistical  difficulties  in  running  verification.  Getting  access  to  the 
verification  machine  at  SRI  involved  physically  being  at  SRI  (due  to  a 
poor  communications  link  between  FACC  and  SRI).  Furthermore  the  jobs  had 
to  be  run  in  batch  mode  in  the  evening  hours.  In  the  future,  things 
could  be  improved  dramatically  with  an  on-site,  accessible,  interactive 
verification  capability. 

2.  Tool  development  in  isolation  from  applications  development.  A  large 
part  of  the  SRI  subcontract  for  tool  development  and  related  support  pro¬ 
ceeded  in  virtual  isolation  from  the  KSOS  development  effort.  In  the 
future,  a  much  closer  relationship  is  called  for  between  Contractor  and 
Subcontractor.  The  design  and  development  of  tools  should  be  coordinated 
with  the  applications  that  will  eventually  use  the  tools. 

3.  Failure  to  apply  HDM  throughout  all  stages  of  KSOS.  Although  the  modu¬ 
larization  achieved  by  the  formal  specifications  is  clean  and  comprehen¬ 
sible,  there  was  a  failure  to  apply  the  hierarchical  aspects  of  the 
methodology.  The  original  lower-level  specifications  were  simply 
transliterations  from  the  Modula  code  to  SPECIAL,  rather  than  an  evolve- 
ment  from  top-level  specifications.  The  gap  between  upper-  and  lower- 
level  specifications  was  a  significant  reason  for  failure  to  achieve  code 
proofs.  In  the  future,  more  rigorous  use  of  all  aspects  of  HDM  will  be 
required.  In  particular,  implementation  should  not  commence  until  there 
is  a  clear  hierarchy  of  specifications,  with  appropriate  mapping  func¬ 
tions  between  adjacent  levels,  in  which  there  is  a  reasonable  gap  between 
the  bottom  level  and  the  state  space  corresponding  to  the  implementation 
language.  (It  is  worth  noting  that  FACC  has  applied  HDM  in  its  entirety, 
as  just  mentioned,  in  IR5.D  projects  during  1980  with  successful  results). 

4.  Shortcomings  of  Specification  Technology.  The  lack  of  powerful  con¬ 
structs  in  SPECIAL  (and  all'  other  specification  languages)  for  con¬ 
currency  and  dynamic  processes  created  another  gap  between  the  code  and 
the  specifications.  For  future  applications,  more  powerful  versions  of 
HDM,  in  which  SPECIAL  is  buttressed  by  appropriate  concurrency  and  pro¬ 
cess  constructs,  and  in  which  there  is  a  closer  correlation  between  HDM 
and  the  underlying  theorem  prover,  will  help  achieve  verification  goals. 

3.  Oversimplicities  in  the  basic  security  model.  The  Bell  and  LaPadula 

model  which  formed  the  basis  for  the  KSOS  security  model  is  inappropriate 
in  several  respects,  e.g.,  there  is  no  direct  way  to  model  KSOS 
privileges  (which  is  a  major  reason  the  NKSR  specifications  were  not  pro¬ 
ven),  and  it  does  not  allow  the  reuse  of  resources  such  as  seids  (which 
is  required  in  a  finite  implementation).  In  the  future,  more  sophisti¬ 
cated  and  relevant  models  should  be  developed. 
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4.  Appendix  A  -  Kernel  Formal  Specifications 


This  appendix  contains  the  most  recent  version,  of  the  Kernel  Formal  Specifica¬ 
tions  that  were  actually  verified.  The  current  version,  which  describes  the 
system  actually  delivered,  appears  as  an  appendix  to  the  Kernel  B-Specs. 
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Fri  Mar  27  15  30  44  1981 


1  $("  MODULE'  fca. specs  (version  2.21) 

2  CONTENTS:  File  Capabilities 

3  TYPE:  SPECIAL. specifications 

4  LAST  CHANGED:  10/12/79,  11:26:25 

5  "> 

6 

7 

8  MODULE  fca 

9 
10 

11  $ ( 'This  module  manages  all  openable  objects,  I.e.,  those  that  are  referenced 

12  through  the  open  table  corresponding  to  a  process.  These  objects  include 

13  files,  devices  -  both  addressable  and  nonaddressable-,  terminals,  extents, 

14  and  subtypes. 

15 

16  Each  object  is  identified  by  a  seld.  Seids  for  devices,  terminals,  and 

17  subtypes  are  allocated  at  system  generation  time.  These  objects  are 

18  permanent,  and  cannot  be  dynamically  allocated  and  deallocated. 

19  Seids  for  files  are  allocated  by  this  module.  Seids  for  extents  are 

20  allocated  when  the  device  is  physically  mounted.  Physiclal  mounting 

21  Is  not  handled  at  this  time  —  logical  mounting  Is  —  but  should  be. 

22 

23  Each  process  at  creation  Is  assigned  an  open  table.  In  which  all  the 

24  open  objects  of  that  process  are  recorded,  along  with  their  mode  of 

25  access.  The  state  of  the  open  table  for  a  process  is  recorded  in  the 

26  values  of  the  V-functlons  'FCAopenTableExists(pSeid)'  which  tells 

27  whether  the  open  table  for  the  process  named  by  'pSeid'  exists,  and 

28  ' FCAopenEnt ry ( pSei d ,  od)',  which  gives  the  seld  and  open  mode  for  the 

29  open  object  of  process  'pSeid'  named  by  the  open  Descriptor  —  a 

30  designator  —  'od.' 

31 

32  The  existence  of  an  openable  object  is  detected  by  a  defined  value  for 

33  'FCAfileStatusInfo(fSeid), '  where  'fSeid'  is  the  object's  seld.  Each 

34  object's  type  is  ascertained  by  looking  at  the  nsp  part  of  the  seld. 

35  Depending  on  the  type  of  the  object,  certain  V-functions  hold  additional 

36  information.  A  description  of  this  information  can  be  found  in  the 

37  comnent  directed  at  each  type  of  object.") 

38 

39  $("  DEVICES  —  there  are  two  kinds  of  devices,  addressable  and  nonaddressable; 

4C  an  addressable  device,  such  as  a  disk,  has  two  properties:  it  can  be 

41  accessed  via  a  block  number  or  address;  and  what  is  put  onto  the  device 

42  via  a  read  operation  is  retrieved  by  a  write  when  the  device  is  read  at 

43  the  same  address.  A  non-addressable  device,  such  as  a  tape  unit,  can  be 

44  viewed  as  having  an  Infinite  stream  of  input  data  and  producing  an 

45  infinite  stream  of  output  data.  Each  kind  of  device  has  four  quantities 

46  associated  with  It:  a  mini  sum  request,  a  maxlnum  request,  a  size 

47  modulus,  and  a  maxlnum  block  number.  For  non-addressable  devices,  the 

48  size  modulus  must  be  1  and  the  maxlnum  block  number  must  be  zero. 

49  An  10  request  specifies  a  certain  number  of  characters  at  a  certain 

50  block  number.  The  number  of  characters  nust  be  within  the  range 

51  defined  by  the  minimum  and  maximum  request  quantities  for  the  device, 

52  and  oust  be  a  multiple  of  the  size  modulus.  The  block  number  must  be  with 

53  within  the  range  (0  ..  maximum  block  number}  for  the  device. 

54  ") 

55 

56  $(  "  TERMINALS  —  With  one  exception,  terminals  are  nonaddressable  devices 
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57  whose  10  requests  are  limited  to  small  nultlples  of  a  single  character 

58  (“  255).  Terminals  however,  have  a  special  property.  To  enable  the 

59  user  to  change  the  security  level  of  his  job  without  changing  terminals, 

60  there  Is  an  Illusion  that  a  single  terminal  is  represented  by  a 

61  multiplicity  of  device  seids.  one  for  each  possible  login  security  level. 

62  Each  seid  represents  a  particular  secure  path  to  the  terminal.  Only 

63  one  path  to  the  terminal  may  do  10  operations  at  a  time,  and  this  path 

64  Is  specified  by  the  value  of  the  V-function  'FCAcurrentPath(t) ' ,  where 

65  t  refers  to  the  terminal  group  or  physical  terminal. 

66  The  different  paths  associated  with  a  particular  physical  terminal 

67  are  specified  by  the  value  of  the  V-function  'FCAterminalPathSet(t)' . 

68  where  t  is  as  above.") 

69 

70  $("  EXTENTS  —  Extents  are  addressable  devices,  representing  areas  on  a 

71  disk,  with  a  block  size  of  512  and  a  size  determined  when  the  device  is 

72  physically  mounted.  For  the 

73  purposes  of  this  specification,  the  size  has  been  predetermined,  as  no 

74  physical  mounting  Is  specified.  The  special  property  of  extents  Is  that 

75  they  can  be  logically  mounted,  so  that  they  'become'  a  file  system 

76  or  set  of  files.  When 

77  the  system  Is  started  up,  there  are  no  files,  except  the  root,  only 

78  extents.  Each  extent  Is  mounted,  setting  up  the  actual  file  system 

79  that  a  user  sees  when  he  logs  on.  When  the  extent  is  mounted.  It  can 

80  no  longer  be  accessed  as  an  extent.  Unmounting  turns  a  file  system 

81  back  Into  an  extent,  and  the  file  system  disappears.”) 

82 

83  $("  FILES  —  Files  are  addressable  devices,  with  a  block  size  of  512  and 

84  two  Important  properties.  They  can  be  dynamically  created  and  deleted, 

85  and  they  are  of  variable  size.  Writing  onto  the  end  of  a  file  effectively 

86  changes  its  size.  Files  may  also  be  linked  to.  A  link  Is  a  reference 

87  count  used  by  the  directory  manager  sitting  above  the  kernel.  It 

88  represents  the  number  of  directories  in  which  a  file  Is  found.  When 

89  this  count  goes  to  0.  and  no  process  has  the  file  open,  the  file 

90  Is  deleted.  This  Is  the  only  way  of  deleting  files,  although  they  can 

91  be  explicitly  created.") 

92 

93  $("  SUBTYPES  —  This  is  an  additional  protection  mechanism  over  and  above 

94  that  provided  by  the  mandatory,  privilege,  and  discretionary  access 

95  control  systems.  Each  openable  object  may  be  associated  with  a 

96  subtype,  of  which  there  are  a  fixed  number  at  system  generation  time. 

97  Any  object  of  a  non-null  subtype  may  be  accessed  only  by  those  processes 

98  who  have  access  rights  to  the  subtype  as  well  as  the  object.  The 

99  access  right  to  a  subtype  Is  established  by  opening  the  subtype  for 

100  the  desired  access.  Access  to  the  subtype  Is  granted  or  denied  according 

101  to  the  usual  mandatory  and  discretionary  rules.  An  object  with 

102  a  non-null  subtype  can  be  accessed  only  when  the  open  descriptor  for 

103  the  subtype,  to  which  access  nust  already  have  been  granted,  is 

104  presented,  and  when  the  desired  access  to  the  object  is  a  subset  of 

105  the  access  granted  to  the  subtype.  This  forms  a  mini -capability 

106  mechanism  with  type  extentlon,  which  Is  necessary  for  achieving  access 

107  control  over  objects  such  as  directories.  Thus  there  will  be  a 

108  directory  subtype,  to  prevent  arbitrary  programs  from  damaging  the 

109  directory  system  jist  because  they  have  access  to  a  particular 

110  directory.  The  rules  for  subtype  access  occur  In  the  open  function  and 

111  all  functions  that  require  a  subtype  capability  for  accessing 

112  an  object.") 
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113 

114 

115  TYPES 

116 

117  $ ( FROM  smx) 

118  nonDisType:  STRUCT  OF ( 

119  INTEGER  securityLevel ;  SET  OF  securltyCat  securltyCatS : 

120  INTEGER  integrityLevel ;  SET  OF  IntegrityCat  integrityCatS) : 

121  daType:  SET  OF  daMode : 

122  modeStruct:  STRUCT  _OF(daType  ownerMode,  groupMode,  allMode); 

123  tUStruct:  STRUCT  0F( nonDisType  nd;  modeStruct  da;  INTEGER  owner,  group; 

124  SET  OF  privType  priv); 

125 

126  $(from  fca  —  exportable) 

127  openDescriptor :  DESIGNATOR; 

128  openModes :  (omRead,  onWrite,  omExclusi ve } : 

129  IOfunction:  {rewind,  etc};  $(names  for  special  kinds  of  10  functions) 

130  deviceType:  {RK05,  RWP04 ,  RWP05 ,  RWP06 ,  RSW04 ,  TWE16.  TM11,  TU56.  PR1I. 

131  PC11.  LP1 1 ,  IMP 1 1 B ,  LHDH } ; 

132  termlnalGroup:  DESIGNATOR; 

133 

134  $(from  fca  —  redeclarable) 

135  flleStatus:  STRUCT  OF(INTEGER  nBlocks,  linkCount .  tl meLastMod ;  seld  subtype: 

136  BOOLEAN  openAtCrash) ; 

137  $(data  about  an  openable  object  that  Is  returned  to  the  user) 

138  globalData:  STRUCT  OF (INTEGER  linkCount,  tl meLastMod ;  seld  subtype; 

139  BOOLEAN  openAtCrash) ; 

140  $(state  Information  for  all  openable  objects) 

141  flleBlock:  VECTOR  OF  CHAR; 

142  loStatus :  STRUCT  J)F( INTEGER  devlndep,  devDep); 

143  $( result  of  an  10  operation,  Including  possible  hardware  failure) 

144  openFlleEntry:  STRUCT  OF(seid  openSeld;  SET_0F  openModes  openMode); 

145  $(entry  In  a  process'  open  file  table) 

146  asyncld:  CHAR; 

147  readResult;  STRUCT  0F(VECT0R  OF  flleBlock  data;  loStatus  errst); 

148  devlceStruct :  STRUCTOF (BOOLEAN  addressable; 

149  INTEGER  mlnRequest,  maxRequeat,  modSize,  nBxBlockNo); 

150  $(propertles  necessary  for  processing  10  requests  for  devices) 

151  mountTableEntry:  STRUCT_0F(seld  leafSeld,  rootSeld;  BOOLEAN  readonly; 

152  tUStruct  devTll;  globalData  devGl); 

153  fileSystemEntry:  STRUCT_OF(seld  flleSeld;  globalData  gl ;  tUStruct  til; 

154  VECTOR  OF  flleBlock  fileData); 

155  $(the  state  of  a  file,  for  purposes  of  mounting  and  unmounting) 

156  flleSystem:  SET  OF  fileSystemEntry ; 

157  $(the  state  of  an  entire  mountable  file  system) 

158  sodPair:  STRUCT  0F(aeld  ps;  openDescriptor  od): 

159  $(for  openCount  definition) 

160 
161 

162  PARAMETERS 

163 

164  SET  OF  seld  subtypeSeidSet ;  $(  set  of  non-null  subtypes  known  to  the  systsm) 

165  seld  FCAstSeid;  $(all  objects  who  have  this  seld  as  their  subtype  ARE 

166  In  fact  subtypes) 

167  seld  nullStSeid;  $(  seld  Indicating  the  null  subtype) 

168  openDescriptor  FCAnullSt;  $(a  file  descriptor  indicating  the  null  subtype) 
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169  seid  FCArootSeld;  $(discinguished  root  of  KSOS  permanent  file  system) 

170  INTEGER  FCAmaxOpenDescrlptors ;  $(maxinum  number  of  open  descriptors  per 

171  process) 

172 

173 

174  DEFINITIONS 

175 

176  INTEGER  FCAf lleSize(seld  fSeid)  IS 

177  CARDINALITY( { INTEGER  1  I  FCAf lleData(f Seld ,  1)  ?}); 

178  $(the  size.  In  blocks,  of  an  addressable  device,  file,  or  extent) 

179 

180  INTEGER  nOpenDescriptors(seld  pSeid)  IS 

181  CARDINALITY {openDescriptor  od  I  FCAopenEntry (pSeid ,  od)  *’»  ?}): 

182  $(the  number  of  open  objects  in  a  given  process:  it  must  not  exceed  a  fixed 

183  maximum) 

184 

185  INTEGER  openCount (seid  fSeid)  IS 

186  CARDINALITY! {sod Pair  sp  1  FCAopenEntryCsp.ps ,  sp. od ).openSeld  ■  fSeid}); 

187  $(the  number  of  times  that  a  given  openable  object  Is  open) 

188 

189  devlceStruct  deviceDataSeld(seid  fSeid)  IS 

190  FCAdeviceData(FCAdevlceType(fSeld)) ; 

191  $(glven  the  seid  of  a  device,  the  data  on  which  Its  10  requests  depend) 

192 

193  SET  OF  daMode  h  mod eT ra ns ( SET  OF  openModes  oModes)  IS 

194  (IF  omRead  INSET  oModes  THEN  {daRead}  ELSE  {}) 

195  UNION  (IF  ortWrite  INSET  oModes  THEN  {daWrite}  ELSE  {}); 

196  ^(translates  from  one  enumerated  type,  open  Modes,  to  another  slightly 

197  different  enumerated  type,  discretionary  access  modes) 

198 

199  BOOLEAN  lsCurrentPath(seid  tSeid)  IS 

200  EXISTS  termlnalGroup  t  :  FCAcurrentPath(t )  ■  tSeid-, 

201  $(for  a  given  terminal,  tells  whether  it  is  the  active  path  to  its  physical 

202  device) 

203 

204  BOOLEAN  isReadOnly(seid  s)  IS 

205  EXISTS  seid  devSeld 

206  •  SENseidNsp(FCAmountTable(devSeid).rootSeid )  -  SENseidNsp(s) 

207  AND  FCAmountTable(devSeld). readonly  ■  TRUE; 

208  $(tells  whether  or  not  a  given  file  la  on  a  file  system  that  Is  mounted  in 

209  read-only  mode) 

210 

211  seid  lndlr(seld  fSeid)  IS 

212  LET  seid  devSeid  I  FCAmountTable(devSeld).leafSeld  *  fSeid 

213  IN  IF  devSeid  -  ?  THEN  fSeid  ELSE  FCAmountTable( devSeid). root Seid; 

214  $(lf  a  file  represents  the  spot  in  the  file  system  where  a  file  system 

215  has  been  mounted,  it  is  translated  into  the  root  of  the  mounted  file 

216  system) 

217 

218  EXTERNALREFS 

219 

220  FROM  mac: 

221  VFUN  MACclockO  ->  INTEGER  time; 

222 

223  FROM  smx : 

224  seid:  DESIGNATOR: 
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225  secureEntityType :  {tFlle.  tDevlce,  tTermlnal,  tProcess,  t Segment ,  tSubtype, 

226  tExtent ,  tNull}: 

227  privType:  { 

228  prl vFileUpdateStatus .  privLink.  privLockSeg, 

229  prlvModifyPrlv,  prlvMount, 

230  prl vSetFlleLevel .  prl vSetSegProcLevel , 

231  privStickySeg,  prl vTerminalLock, 

232  pri vVlolSlmpSecurlty ,  prl vVlolStarSecurlty , 

233  prl vViolSimpIntegrity,  prl vViolStarlntegrity. 

234  pri vViolDiscrAccess,  prlvSlgnal,  prl vWalkPTable . 

235  prlvHalt,  prl vKenrelCall ,  privVlolCompartments, 

236  prlvRealizeExecPermlssions } ; 

237  daMode :  {daRead,  daWrlte,  daExecute}; 

238  securltyCat:  DESIGNATOR; 

239  integrityCat :  DESIGNATOR; 

240  VFUN  SENseldNsp(seld  a)  ->  INTEGER  nsp: 

241  VFUN  SENseldType(seld  s)  ->  secureEntityType  set; 

242  VFUN  THinf o(seid  s)  ->  tliStruct  tllst; 

243  VFUN  SMXhasPrl v(seid  pSeld;  privType  prlv)  ->  BOOLEAN  b; 

244  VFUN  SMXflow(seld  pSeld,  oSeid;  daType  da)  ->  BOOLEAN  b; 

245  VFUN  SMXdap(seid  pSeld,  oSeid;  daType  da)  ->  BOOLEAN  b; 

246 

247 

248  ASSERTIONS 

249 

250  FORALL  seid  fSeld  |  FCAlnf o<f Seld)  ”»  ? 

251  :  SENseldType(fSeld)  INSET  {tTermlnal,  tDevlce.  tSubtype,  tFlle,  tExtent}; 

252  $(restrlcts  the  types  of  objects  manipulated  by  this  module) 

253 

254  FORALL  seld  fSeid:  {INTEGER  1  I  FCAflleData(£Seid,  1)  ?} 

255  -  {0  ..  FCAf ileSlze(fSeld)  -  1}; 

256  $(the  blocks  of  a  file,  extent,  or  addressable  device  form  a  sequence) 

257 

258  FORALL  seld  dSeid 

259  (  SENseidType (dSeid)  -  tDevlce  AND  FCAlnf o(dSeld)  ? 

260  •  (LET  devlceStruct  d  ■  devlceDataSeld(dSeld) 

261  IN  NOT  d. addressable  *>  d.modSize  ■  1  AND  d,max51ockNo  *  0); 

262  $(necessary  properties  of  all  non-addressable  devices) 

263 

264  FORALL  seld  fSeld 

265  I  FCAlnf o (fSeld)  ? 

266  :  (LET  secureEntityType  t  *  SENseidType (fSeld) 

267  IN  FORALL  INTEGER  1  I  FCAflleData (fSeld,  1 )  ? 

268  :  LENGTH(FCAflleData (fSeld.  1)) 

269  ■  (IF  t  ■  tDevlce  THEN  deviceDataSeid(fSeid).modSlze 

270  ELSE  IF  t  INSET  {tExtent,  tFlle)  THEN  512 

271  ELSE  ?)): 

272  $(the  lengths  of  all  blocks  for  files,  extents,  or  addressable  devices 

273  must  correspond  to  the  paremeters  for  those  objects) 

274 

275  FORALL  seld  s  |  SENseldType(s)  -  tTermlnal  AND  FCAinfo(s)  ? 

276  r  (EXISTS  terminalGroup  tl 

277  :  s  INSET  FCAterminalPathSet(tl) 

278  AND  (FORALL  terminalGroup  t2  tl 

279  :  NOT  s  INSET  FCAterminalPathSet(t2))) ; 

280  $(each  terminal  Is  In  exactly  one  terminal  group) 


fca. specs  Page  6 


Fil  Mar  27  15:30:44  1981 


281 

282  FORALL  seld  f 

283  |  EXISTS  INTEGER  1  :  FCAf ileData(f ,  1 )  ? 

284  •  FCAlnfo(f)  ? 

285  AND  (SENseldType(f )  ■  tDevlce  AND  deviceDataSeid(f) .addressable  *  TRUE 

286  OR  SENseidType(f )  INSET  {tFlle.  tExtent}); 

287  $(only  files,  extents,  or  addressable  devices  have  file  data) 

288 

289  FORALL  seld  f 

290  :  (FCAlnputStream(f )  ?  AND  FCAoutputStream(f )  ?) 

291  *  (SENseidType(f )  “  tTerminal 

292  OR  SENseldType(f )  ■  tDevlce 

293  AND  devlceDataSeld(f). addressable  “  FALSE): 

294  $(non-addressable  device  have  both  an  Input  and  an  output  stream,  although 

295  It  may  always  be  null) 

296 

297  FORALL  seld  pSeld  |  FCAopenTableExlsts (pSeld ) 

298  :  FCAopenEntry( pSeld .  FCAnullSt)  -  ?; 

299  $(there  are  never  any  opened  objects  assigned  to  the  open  descriptor 

300  reserved  for  the  null  subtype) 

301 

302  FORALL  seld  si  s2 

303  :  SENseidType(sl)  “  tSubtype  AND  SENseidType(s2)  “  tSubtype 

304  ->  SENseidNspCsl)  -  SENseldNsp(s2) ; 

305  $(subtypes  have  only  one  name  space  partition) 

306 

307  SENseidType(nullStSeid)  -  tSubtype  AND  SENseidType(FCAstSeld)  ■  tSubtype; 

308  $(the  null  subtype  seld  and  the  subtype  seld  Indicating  "sybtype") 

309 

310  FORALL  seld  s  INSET  subtypeSeldSet  :  SENseidType(s)  •  tSubtype; 

311  $(propertles  of  the  set  of  non-null  subtypes) 

312 

313  SENseldType(FCArootSeid)  -  tFlle; 

314  $(property  of  the  distinguished  root  of  the  entire  file  system) 

315 

316  FORALL  seld  f  I  FCAinfo(f)  ?  AND  SENseldType(f )  -  tFlle 

317  :  EXISTS  seid  d  ■  SENseldNsp(FCAmountTable(d).rootSeld)  -  SENseldNsp(f ) 

318  OR  f  -  FCA rootSeld; 

319  $(a  file  Is  either  the  root  or  It  Is  on  a  mountable  file  system) 

320 

321 

322  FUNCTIONS 

323 

324  $( - - —  state  functions  —  devices  — — — - - - ) 

325 

326  VFUN  FCAdevlceType(seld  fSeld)  ->  deviceType  d;  S(FCAdevlceType) 

327  $(glves  the  type  of  a  particular  device,  which  determines  its  10  behavior) 

328  HIDDEN; 

329  INITIALLY 

330  (d  ~«  ?) 

331  -  (SENseidType(fSeid)  -  tDevlce  AND  FCAlnfo(fSeid)  ?); 

332 

333  VFUN  FCAdevlceData(deviceType  d)  ->  deviceStruct  ds;  S(FCAdevlceData) 

334  $(for  a  given  type  of  device,  defines  the  10  behavior) 

335  HIDDEN: 

336  INITIALLY 
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337  ds  -  (IF  J  -  RK05 

338  THEN  STRUCT ( TRUE ,  512,  32768,  512,  203*24-1) 

339  ELSE  IF  d  INSET  {RWP04 ,  RWP05 } 

340  THEN  STRUCT(TRUE ,  512,  32768.  512,  22*19*411-1) 

341  ELSE  IF  d  -  RWP06 

342  THEN  STRUCT (TRUE ,  512,  32768,  512,  22*19*411*2-1) 

343  ELSE  IF  d  -  RSW04  THEN  STRUCT (TRUE,  512,  32768,  512.  2048-1) 

344  ELSE  IF  d  INSET  {TWE16.  TM11}  THEN  STRUCT ( FALSE ,  12,  8191,  1,  0) 

345  ELSE  IF  d  -  TU56  THEN  STRUCT (TRUE,  512,  512,  512,  0) 

346  ELSE  IF  d  INSET  { PR1 1 .  PC11}  THEN  STRUCT( FALSE ,  1.  1,  1,  0) 

347  ELSE  IF  d  -  LP11  THEN  STRUCT (FALSE ,  1.  132.  1,  0) 

348  ELSE  IF  d  INSET  {IMP11B,  LHDH }  THEN  STRUCT (FALSE ,  1.  8191,  1,  0) 

349  ELSE  ?); 

350 

351  $( - state  functions  —  terminals - ) 

352 

353  VFUN  FCAtermlnalPathSet ( terminalGroup  t)  ->  SET_OF  seld  ss; 

354  $ (FCAtermlnalPathSet) 

355  $(defines  the  set  of  paths,  or  logical  terminals,  that  correspond  to 

356  a  given  terminal  group,  or  physical  terminal) 

357  HIDDEN; 

358  INITIALLY 

359  FORALL  seld  s  INSET  ss 

360  :  FCAlnfo(s)  ?  AND  SENseldType (s)  ■  tTerndnal; 

361 

362  VFUN  FCAcurrentPath(termlnalGroup  t)  ->  seld  s:  S(FCAcurrentPath) 

363  $(the  seld  of  the  logical  terminal  that  Is  allowed  to. do  10  on  a  given 

364  physical  terminal) 

365  HIDDEN; 

366  INITIALLY 

367  s  INSET  FCAtermlnalPathSet (t ) ; 

368 

369  $( - - state  functions  —  mountable  file  systems - - — — ) 

370 

371  VFUN  FCAmountTable(seid  extentSeid)  ->  mountTableEntry  mte;  $(FCAmouni: Table) 

372  $(for  a  given  extent  that  is  mounted,  tells  leaf  of  the  old  file  system, 

373  the  root  of  the  new  or  mounted  file  system,  whether  the  file  system 

374  is  read  only,  and  the  state  information  for  the  extent) 

375  HIDDEN; 

376  INITIALLY  mte  -  ? ; 

377 

378  VFUN  FCAextentToFileSys( VECTOR  OF  fileBlock  fb;  seld  rootSeid) 

379  ->  filesystem  fs;  $(FCAextentToFileSys ) 

380  $(glven  the  data  of  a  given  extent  and  a  root  seld  for  a  file  system 

381  to  be  made  out  of  the  extent  whose  data  Is  given,  produces  the 

382  file  system  consisting  of  a  set  of  tuples  each  made  up  of  a 

383  file  seld  and  the  state  of  the  file) 

384  HIDDEN; 

385  INITIALLY 

386  fs  ?  “> 

387  (EXISTS  f HeSystemEntry  fse  INSET  fs  :  rootSeid  *  fse.flleSeld) 

388  AND  (FORALL  fileSystemEntry  fse  INSET  fs 

389  •  SENseldNsp( fse. file Seld )  -  SENseldNsp(rootSeld)); 

390  $(a  constant  function  for  data  conversion) 

391 

392  $( - - —  state  functions  —  all  openable  objects - — — - ) 
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393 

394  VFUN  FCAinf o(seid  fSeid)  ->  globalData  gl ;  $(FCAinfo) 

395  $(the  status  Information,  excluding  data  and  type  dependent  stuff,  for 

396  an  openable  object) 

397  HIDDEN; 

398  INITIALLY 

399  IF  deviceDataSeld (fSeid)  ?  THEN  gl  ? 

400  ELSE  IF  fSeid  INSET  {FCArootSeid,  FCAstSeid,  nullStSeid} 

401  THEN  gl. subtype  ■  nullStSeid 

402  ELSE  IF  fSeid  INSET  subtypeSeidSet  THEN  gl. subtype  -  FCAstSeid 

403  ELSE  gl  -  ?; 

404 

405  VFUN  FCAfileData(seid  fSeid;  INTEGER  blockNo)  ->  fileBlock  fb;  $(FILfi leData) 

406  $(the  data  contained  on  a  file,  extent  or  an  addressable  device) 

407  DEFINITIONS 

408  secureEntityType  type  IS  SENseidType (fSeid); 

409  devlceStruct  d 

410  IS  IF  type  *  tDevice  THEN  deviceDataSeld (fSeid) 

411  ELSE  IF  type  INSET  {tFile.  tExtent} 

412  THEN  STRUCT(TRUE.  512,  32768.  512.  FCAfileSize(fSeid)-l) 

413  ELSE  STRUCT (FALSE ,  1.  255,  1.  0); 

414  HIDDEN: 

415  INITIALLY 

416  (IF  FCAinfo(fSeid)  -  ?  OR  type  INSET  {tTerminal,  tSubtype} 

417  OR  NOT  blockNo  INSET  {0  ..  d. maxBlockNo}  OR  NOT  d. addressable 

418  THEN  fb  -  ? 

419  ELSE  fb  "-  ?) 

420  AND  (fb  “*>  ? 

421  »>  LENGTH(fb)  -  d.modSUe 

422  AND  (F0RALL  INTEGER  i  INSET  {0  ..  blockNo  -  1} 

423  :  FCAf 1 leData ( f Sel d ,  i)  "«  ?) 

424  AND  (FORALL  INTEGER  j  INSET  {1  ..  LENGTH(fb)} 

425  t  fb[ j]  ?)); 

426 


427  VFUN  FCAinputStream(seid  fSeid)  ->  VECTOROF  CHAR  vc;  $(FCAinputStream) 

428  $(the  input  data  for  terminals  and  nonaddressable  devices) 

429  HIDDEN; 

430  INITIALLY 

431  IF  FCAinfo(fSeid)  *-  ? 

432  AND  (SENseidType(fSeid)  ■  tTerminal 

433  OR  SENseidType (fSeid)  -  tDevice 

434  AND  deviceDataSeid(fSeid). addressable  ■  TRUE) 

435  THEN  vc  ? 

436  ELSE  vc  -  ?; 

437 

438  VFUN  FCAoutputStream(seid  fSeid)  ->  VECTOROF  CHAR  vc;  $(FCAoutputStream) 

439  $(the  output  data  for  terminals  and  nonaddressable  devices) 

440  HIDDEN; 

441  INITIALLY 

442  IF  FCAinfo(fSeid)  ? 

443  AND  (SENseidType (fSeid)  ■  tTerminal 

444  OR  SENseidType(f Seid)  ■  tDevice 

445  AND  deviceDataSeid(fSeid). addressable  *  TRUE) 

446  THEN  vc  ? 

447  ELSE  vc  -  7; 

448 
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449  $( - state  functions  —  open  tables - ) 

450 

451  VFUN  FCAopenTableExists(seid  pSeid)  ->  BOOLEAN  b:  $(FCAopenTableExists ) 

452  $(the  existence  predicate  for  the  table  of  openable  objects  corresponding 

453  to  a  given  process) 

454  HIDDEN: 

455  INITIALLY  b  -  FALSE; 


457  VFUN  FCAopenEntry(seid  pSeid;  openDescrlptor  od)  ->  openFlleEntry  oe; 

458  $(the  Information  In  entry  "od"  of  the  open  table  of  process  "pSeid") 

459  HIDDEN;  $(FCAopenEntry) 

460  INITIALLY  oe  -  ? ; 

461 

462  $( - - creation  of  files  — - - - — - -  —  - - - ) 


464  OVFUN  FCAcreate(seid  pSeid,  nspSeld;  modeStruct  da;  openDescrlptor  stCap) 

465  ->  STRUCT  0F(seid  fSeld;  openDescrlptor  od)  return:  $(FCAcreate) 

466  $(creates  a  file  and  opens  It  in  the  desired  mode,  the  file  system  on 

467  which  the  file  resides  nust  be  writable.  If  a  subtype  capability 

468  is  provided  it  must  refer  to  a  valid  subtype.  The  created  file  gets 

469  only  the  discretionary  access  permission  specified.  All  other  data 

470  comes  from  the  process  making  the  call.  The  file  is  originally  of  zero 

471  length) 

472  DEFINITIONS 

473  tiiStruct  ptii  IS  Tllinfo(pSeid) : 

474  tiiStruct  otii  IS  STRUCT(ptii.nd,  da,  ptii. owner,  ptii. group,  ptii.priv); 

475  seid  extSeld 

476  IS  SOME  seid  s  |  SENseidNsp(FCAmountTable(s) .root Seid) 

477  •  SENseidNsp(nspSeid); 

478  EXCEPTIONS 

479  $(these  exceptions  subsume  those  for  opening  a  file  for  writing) 

480  KEfcaBadNsp: 

481  extSeld  ■  ?  OR  NOT  SMXflow( pSeid,  extSeld,  {da Read,  daWrlte}): 

482  KEfcaNoWriteDa:  NOT  daWrite  INSET  da.ownerMode ; 

483  KEfcaDevNotWritable:  isReadOnly(nspSeid ) ; 

484  KEfcaBadSubtype :  stCap  FCAnullSt 

485  AND  FCAinfo(FCAopenEntry(pSeid ,  stCap ).openSeld). subtype  “*  FCAstSeld; 

486  KEfcaSTNotWri cable: 

487  stCap  FCAnullSt 

488  AND  NOT  onMrlte  INSET  FCAopenEntry(pSeld,  stCap) .openMode ; 

489  KEfcaOdSpace :  nOpenDescrlptorsCpSeld )  >“  FCAmaxOpenDescriptors ; 

490  RESOURCE  ERROR; 

491  ASSERTIONS 

492  FCAopenTableExists(pSeid); 

493  EFFECTS 

494  LET  seid  fs  1  FCAinfo(fs)  -  ?: 

495  openDescrlptor  o  |  FCAopenEntry(pSeid,  o)  -  ?  AND  o  FCAnullSt 

496  IN  return  -  STRUCT(fs,  o) 

497  AND  'TIIinfo(fs)  -  otii 

498  AND  'FCAopenEntry( pSeid,  o)  -  STRUCT(fs,  {omWrite}) 

499  AND  'FCAinfo(fs)  -  STRUCT(0,  MACdockO. 

500  IF  stCap  -  FCAnullSt  THEN  nullStSeid 

501  ELSE  FCAopenEntryCpSeid,  stCap). openSeid. 

502  FALSE); 

503 

504  $( - - - file  opening  and  closing - ) 


file  opening  and  closing  — ~ 
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505 

506  OVFUN  FCAopenCseld  pSeid.  oSeid;  SET  OF  openModes  mode;  openDescrlptor  stCap) 

507  ->  openDescrlptor  od;  $(FCAopen) 

508  $(opens  the  openable  object  specified  by  "oSeid".  The  object  oust  exist 

509  and  the  process  "pSeld"  must  have  the  right  mandatory  and  discretionary 

510  access.  Special  rules,  described  below,  apply  to  subtypes. 

511  Special  rules  also  apply  when  the  object  Is  being  opened  for  exclusive 

512  use.  Only  one  process  may  open  an  object  for  exclusive  use. 

513  A  process  Is  allowed  a  fixed  maximum  number  of  open  objects.) 

514  DEFINITIONS 

515  seld  o  IS  indlr(oSeid ) ; 

516  globalData  ofst  IS  FCAinfo(o); 

517  openFlleEntry  stEntry  IS  FCAopenEntry( pSeid,  stCap); 

518  BOOLEAN  anotherExcl  IS 

519  EXISTS  seld  pSeldl;  openDescrlptor  odl: 

520  FCAopenEntry(pSeldl,  odl ). openSeld  ■  o  AND 

521  omExcluslve  INSET  FCAopenEntry(pSeidl ,  odl) .openMode ; 

522  $(the  object  is  opened  exclusive  use  elsewhere) 

523  EXCEPTIONS 

524  KEfcaNoFlle:  ofst  *  ?  OR  NOT  SMXf low(pSeld ,  o,  h jnodeTrans ( mode ) ) ; 

525  KEfcaBadRefCount :  ofst . linkCount  ■  0; 

526  KEfcaBadStCap: 

527  stCap  FCAnullSt  AND  FCAinf o(stEntry . openSeld). subtype  FCAstSeld: 

528  $(a  subtype  capability  was  specified,  but  it  is  not  for  a  valid  subtype) 

529  KEfcaNoStCap: 

530  stCap  -  FCAnullSt  AND  NOT  ofst. subtype  INSET  {nullStSeid,  FCAstSeld}: 

531  $(no  subtype  capability  was  specified,  but  the  object  has  a  non-null 

532  subtype) 

533  KEfcaBadSubtypeMatch: 

534  stCap  “■  FCAnullSt 

535  AND  (stEntry. openSeld  ofst. Subtype 

536  OR  NOT  mode  SUBSET  stEntry.openMode ) : 

537  $(a  subtype  capability  is  specified,  but  it  does  not  match  the  subtype 

538  of  the  object,  with  access  modes  Included) 

539  KEfcaDapViol :  NOT  SMXdap(pSeld,  o,  hjnodeTrans ( mode ) ) ; 

540  KEf caNotWritable :  onWrite  INSET  mode  AND  IsReadOnly(o); 

541  KEfcaNoExclDA: 

542  omExcluslve  INSET  mode  AND  NOT  {omRead,  ooWrite)  SUBSET  mode; 

543  KEfcaCrltExcl : 

544  anotherExcl  OR  (openCount(o)  >  0  AND  omExcluslve  INSET  mode); 

545  $(either  the  object  was  opened  elsewhere  for  exclusive  use.  or 

546  exclusive  use  is  requested  and  the  object  Is  open  elsewhere) 

547  KEf caOdSpace :  nOpenDescriptors(pSeld )  >■  FCAmaxOpenDescrlptors; 

548  ASSERTIONS 

549  FCAopenTableExists(pSeld); 

550  EFFECTS 

551  LET  openDescrlptor  odl  I  FCAopenEntry (pSeid,  odl)  ■  ?  AND  odl  ”■  FCAnullSt 

552  IN  'FCAopenEntry(pSeid,  odl)  ■  STRUCT(o,  mode) 

553  AND  od  -  odl; 

554 

555  OFUN  FCAclose(seid  pSeid;  openDescrlptor  od);  $(FCAclose) 

556  $(closes  the  open  object  named  Uy  "od”.  If  the  object  is  not  is  use  by 

557  anyone  else,  either  by  linking  or  by  opening,  then  the  object  is  deleted) 

558  DEFINITIONS 

559  openFlleEntry  oe  IS  FCAopenEntry(pSeid,  od); 

560  seld  fSeld  IS  oe. openSeld; 
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561  globalDaCa  ofst  IS  FCAlnf o(f Seid) ; 

562  EXCEPTIONS 

563  KEfcaBadOd:  oe  -  ? : 

564  ASSERTIONS 

565  FCAopenTableExlsts(pSeld); 

566  EFFECTS 

567  ofst .llnkCount  ■  0 

568  AND  openCount(fSeid)  ■  1 

569  AND  SENseidType(fSeid)  -  tFlle 

570  «>  'FCAlnf o(f Seid)  -  ? 

571  AND  (FORALL  INTEGER  1  :  'FCAflleData(fSeid,  1)  -  ?) 

572  AND  'TIIlnfo(fSeid)  -  ?: 

573  'FCAopenEntry(pSeld .  od)  “  7; 

574  $(the  openAtCrash  field  Is  cleared  when  closing  an  object  that  was  open 

575  for  writing.  This  has  not  been  put  in.) 

576 

577  $( — - open  table  maintenance - - - ) 

578 

579  OFUN  FCAcreateOpenTable(seid  pSeld);  $(FCAcreateOpenTable ) 

580  $(  this  operation  creates  an  open  table  associated  with  a  process  seid: 

581  It  Is  used  as  an  auxiliary  operation  by  the  process  modules  when 

582  creating  a  new  a  process) 

583  ASSERTIONS 

584  NOT  FCAopenTableExlsts(pSeld); 

585  EFFECTS 

586  'FCAopenTableExlsts(pSeid)  •  TRUE; 

587 

588  OFUN  FCAdeleteOpenTable(seid  pSeld);  $(FCAdeleteOpenTable) 

589  $(  Deletes  the  open  table  associated  with  a  process;  supports  the  release 

590  of  a  process) 

591  ASSERTIONS 

592  FCAopenTableExlsts(pSeid) : 

593  EFFECTS 

594  'FCAopenTableExlsts(pSeld)  •  FALSE; 

595 

596  $( - - - -  utility  operations  — - - ) 

597 

598  OFUN  FCAcloseAlKseld  pSeld);  $(FCAcloseAll ) 

599  $(  Closes  all  the  open  objects  of  an  open  object  table;  supports  process 

600  release  and  Invocation.  May  cause  unreferenced  objects  to  be  deleted) 

601  ASSERTIONS 

602  FCAopenTableExlsts(pSeld) ; 

603  EFFECTS 

604  FORALL  openDescrlptor  od  |  FCAopenEntry(pSeld,  od)  "■  7; 

605  seid  fSeid  -  FCAopenEntry(pSeld,  od).openSeld 

606  •  'FCAopenEntry(pSeid,  od)  ■  ? 

607  AND  (openCount (fSeid)  ■  1 

608  AND  FCAlnfo(f Seid). llnkCount  “  0 

609  AND  SENseidType(fSeid)  ■  tFlle) 

610  «>  'FCAlnf o(fSeid)  -  ? 

611  AND  (FORALL  INTEGER  1  :  'FCAfi l«Data(f Seid .  1)  -  ?) 

612  AND  'TIIlnfo(fSeld)  -  7: 

613  'FCAopenTableExlsts (pSeld)  -  FALSE; 

614 

615  OFUN  FCAcopyOpenTable(seid  fromSeid,  toSeld);  $ (FCAcopyOpenTable ) 

616  $(Coples  the  contents  of  one  open  table.  "fromSeid."  to  another,  "toSeld." 
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617  "toSeld"  must  be  empty) 

618  ASSERTIONS 

619  FCAopenTableExlsts(f romSeld): 

620  FCAopenTableExlsts(toSeld) ; 

621  FORALL  openDescriptor  od  :  FCAopenEntry(toSeid,  od)  ■  ?: 

622  EFFECTS 

623  FORALL  openDescriptor  od 

624  :  'FCAopenEntry(toSeid,  od)  ■  FCAopenEntry(f ronSeld,  od); 

625 

626  $( - -  file  status  operations  - - - - ) 

627 

628  VFUN  FCAgetFlleStatus(seld  pSeld,  fSeld)  ->  flleStatus  fst ; $(FCAgetFlleStatus ) 

629  $( returns  the  status  of  the  file.  The  requesting  process  nust  have 

630  mandatory  access  to  the  object,  and  the  object  must  exist) 

631  DEFINITIONS 

632  seld  f  IS  indlr(fSeld) ; 

633  globalData  gl  IS  FCAlnfo(f); 

634  EXCEPTIONS 

635  KEfcaNoFlle :  FCAinfo(f)  -  ?  OR  NOT  SMXf low(pSeid,  f,  {daRead}); 

636  DERIVATION 

637  STRUCT! IF  FCAf lleSlze(f )  -  ?  THEN  0  ELSE  FCAfl leSlze(f ) . 

638  gl. llnkCount ,  gl . timeLastMod,  gl. subtype, 

639  gl.openAtCrash); 

640 

641  OFUN  FCAsetFlleStatus(seid  pSeld,  fSeld ;  flleStatus  newfs ); $(FCAsetFi leStatus) 

642  $(only  the  subtype  file  of  an  openable  object  may  be  changed.  The 

643  requesting  process  must  have  mandatory  access  to  the  object,  and  the 

644  object  oust  exist.  Note  the  particular  rule,  explained  below,  relating 

645  to  subtypes) 

646  DEFINITIONS 

647  seld  f  IS  lndlr(fSeld): 

648  globalData  oldfs  IS  FCAinfo(f); 

649  EXCEPTIONS 

650  KEfcaNoFlle- 

651  FCAinfo(f)  -  ?  OR  NOT  SMXf low(pSeid,  f.  {daRead,  daWrite}); 

652  KEfcaBadDa:  NOT  SMXdap( pSeld,  f,  {daRead,  daWrite}); 

653  KEfcaNoOwner :  Tllinfo(pSeid). owner  ”■  Tllinfo(f) .owner; 

654  KEfcaBadPriv:  NOT  SMXhasPrl v(pSeld.  pri vFlleUpdateStatus) : 

655  KEfcaBadSubtype: 

656  newf 8. subtype  oldfs ■ subtype 

657  AND  (oldfs .subtype  nullStSeid 

658  AND  TIIlnfo(oldfs. subtype) .owner  “*  Tlllnfo(pSeid). owner 

659  OR  newfs. subtype  nullStSeid 

660  AND  TIIlnfo(newf s. subtype). owner  “■  Tlllnfo(pSeld). owner) ; 

661  $(the  requesting  process  nust  be  the  owner  of  both  the  old  and 

662  new  subtypes,  if  non-null) 

663  KEfcaChangeLlnk:  oldfs. llnkCount  newfs . 11 nkCount ; 

664  ASSERTIONS 

665  FCAopenTableExlsts(pSeld) ; 

666  EFFECTS 

667  'FCAinfo(f)  "  STRUCT! newfs .llnkCount  newfs . timeLastMod , 

668  newfs .subtype,  newfs.openAtCrash); 

669 

670 

671  END  MODULE 
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1  $("  MODULE  fmi. specs  (version  2.10) 

2  CONTENTS:  File  Miscellaneous  Operations 

3  TYPE-  SPECIAL  specifications 

4  LAST  CHANGED:  10/12/79,  13:58:05 

5  ") 

6 

7 

8  MODULE  f ml 

9 
10 

11  $(  this  module  contains  miscellaneous  file  operations  that  are  not  Included 

12  in  the  fca  module,  because  the  SPECIAL  checker  at  FACC  cannot  accomodate 

13  the  combined  file) 

14 

15  TYPES 

16 

17  § (FROM  smx) 

18  nonDisType:  STRUCT  0F( 

19  INTEGER  securltyLevel ;  SETOF  securltyCat  securl tyCatS : 

20  INTEGER  IntegrityLevel ;  SET  OF  IntegrltyCat  lntegri tyCatS); 

2 1  daType :  SET  OF  daMode ; 

22  modeStruct:  STRUCT  0F(daType  ownerMode,  groupMode,  allMode); 

23  tiiStruct:  STRUCT  OF(nonDisType  nd:  modeStruct  da:  INTEGER  owner,  group; 

24  SET  OF  prlvType  prlv); 

25 

26  $(from  fca) 

27  globalData:  STRUCT  OF ( INTEGER  llnkCount,  tlmeLastMod;  seld  subtype: 

28  BOOLEAN  openAtCrash) ; 

29  loStatus:  STRUCT  OF (INTEGER  devlndep,  devDep); 

30  asyncld:  CHAR; 

31  f ileBlock:  VECTOR  OF  CHAR; 

32  openFlleEntry :  STRUCT  OF (seld  openSeld;  SET  OF  openModes  openMode); 

33  readReault:  STRUCT  OF (VECTOR  OF  flleBlock  data;  loStatus  errst); 

34  devlceStruct:  STRUCT  OF (BOOLEAN  addressable; 

35  INTEGER  mlnRequest,  maxRequest ,  modSlze,  maxBlockNo); 

36  mountTableEntry :  STRUCT_OF(seid  leafSeld,  rootSeld;  BOOLEAN  readonly; 

37  tiiStruct  devTli;  globalData  devGl); 

38  fileSy8temEntry:  STRUCT_OF(seld  flleSeid;  globalData  gl;  tiiStruct  til; 

39  VECTORjOF  flleBlock  flleData); 

40  fileSystem:  SET  OF  fileSystemEntry; 

41 

42 

43  DEFINITIONS 

44 

45  $(these  definitions  are  explained  in  the  fca  module) 

46 

47  INTEGER  FCAfileSize(seid  fSeid)  IS 

48  CARDINALITY( { INTEGER  1  1  FCAfileData(fSeid.  1)  ?}); 

49 

50  INTEGER  nOpenDescriptors(seld  pSeld)  IS 

51  CARDINALITY( {openDescriptor  od  I  FCAopenEntry(pSeld,  od)  ?}); 

52 

53  INTEGER  openCount(seld  fSeid)  IS 

54  CARDINALITY( {seld  pSeld 

55  I  (EXISTS  openDescriptor  od 

56  :  FCAopenEntry(pSeid,  od). openSeld  *  fSeid)}); 
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57 

58  devlceStruct  devlceDaCaSeld(seld  fSeld)  IS 

59  FCAdeviceData(FCAdeviceType(fSeld)) ; 

60 


61  BOOLEAN  lsCurrentPath(seid  CSeld)  IS 

62  EXISTS  terminalGroup  t  :  FCAcurrentPath(t)  ■  tSeld; 

63 

64  seid  lndir(seld  fSeld)  IS 

65  LET  seld  devSeld  I  FCAmountTable(devSeid).leafSeid  ■  fSeld 

66  IN  IF  devSeld  “  ?  THEN  fSeld  ELSE  FCArnountTable(devSeld).roocSeld; 

67 

68  BOOLEAN  lsReadOnly(seid  fSeld)  IS 


69 

70 

EXISTS  seld  devSeld  : 

:  SENseldNsp(FCAmountTable (devSeld ). root Seld) 

-  SENseldNspC fSeld) 

** 

71 

72 

73 

AND  FCAmountTable(devSeid) .readonly  •  TRUE; 

— 

74 

75 

EXTERN ALREFS 

76 

FROM  smx: 

77  seld:  DESIGNATOR; 

78  secureEncltyType:  {tFlle,  tDevice,  t Terminal,  tProcess.  tSegment,  tSubtype, 

79  tExtent,  tNull}; 


80  prlvType:  { 

81  prl vFlleUpdateStacus . 

82  prlvModlfyPrl v, 

83  prlvSetLevel, 

84  prl vVlolSlmpSecurlty, 

85  prl vVlolSimpIntegrlty , 

86  prlvVlolDlscrAcces8, 

87  privHalt, 

88  prl vReallzeExecPermlsslons}; 

89  securltyCat:  DESIGNATOR; 

90  integrltyCat:  DESIGNATOR; 

91  daMode:  {daRead.  daWrlte.  daExecute}; 

92  VFUN  SENseldNsp(seld  s)  ->  INTEGER  nap; 

93  VFUN  SENseldType(seld  s)  ->  secureEntltyType  set; 


privLink,  prlvLockSeg. 

prlvMount , 

prl vStlckySeg,  prl vTerminalLock, 

prlvVlolStarSecurlty, 

prl vVlol Star Integrl ty , 

prlvSlgnal,  prl wWalkPTable, 

prl vKernelCall .  prl vVlolCompart ments , 


94  VFUN  Tlllnf o(seld  s)  ->  tiiStruct  tllst; 

95  VFUN  TIIgetEntltyLeveKseld  pSeld,  oSeld)  ->  tiiStruct  otli; 

96  OFUN  TIIsetEntityLevel(seld  pSeld,  oSeld;  tiiStruct  ntil); 

97  VFUN  SMXhasPrl v(aeld  pSeld;  prlvType  priv)  ->  BOOLEAN  b; 

98  VFUN  SMXf Zow(seld  pSeld,  oSeld;  daType  da)  ->  BOOLEAN  b; 

99  VFUN  SMXdap(seld  pSeld,  oSeld;  daType  da)  ->  BOOLEAN  b; 


100 

101  FROM  fca: 

102  openDescrlptor:  DESIGNATOR; 

103  openModes:  {omRead,  onWrite,  omExclusi ve}; 

104  IOfunctlon:  {rewind,  etc}; 

105  devlceType:  {RK05,  RWP04 ,  RWP05 .  RWP06 ,  RSW04,  TWE16,  TMll,  TU56,  PR11. 

106  PC11  LP11,  IMPUB.  LHDH} ; 

107  terminalCroup:  DESIGNATOR; 

108  seld  FCArootSeld; 

109  VFUN  FCAdevlceType(seid  fSeld)  ->  devlceType  d; 

110  VFUN  FCAdeviceData(deviceType  d)  ->  devlceStruct  ds; 

111  VFUN  FCAcurrentPath( terminalGroup  t)  ->  seld  s; 

112  VFUN  FCAtermlnalPathSetCteralnalGroup  t)  ->  SET_OF  seld  ss; 
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113  VFUN  FCAmountTable(seid  exCentSeid)  ->  mountTableEntry  site: 

114  VFUN  FCAextentToFileSys ( VECTOR  _0F  fileBlock  fb;  seid  rootSeid) 

115  ->  fileSystem  fs; 

116  VFUN  FCAinfo(seid  fSeid)  ->  globalData  gl : 

117  VFUN  FCAf i l e Data ( se i d  fSeid;  INTEGER  blockNo)  ->  fileBlock  fb; 

118  VFUN  FCAinputStream(seid  fSeid)  ->  VECTOR_OF  CHAR  vc; 

119  VFUN  FCAou Cpu t S t rea m( seid  fSeid)  ->  VECTOR  OF  CHAR  vc; 

120  VFUN  FCAopenTableExists(seid  pSeid)  ->  BOOLEAN  b; 

121  VFUN  FCAopenEntry(seld  pSeid;  openDescrlptor  od)  ->  openFi leEntry  oe ; 

122 

123 

124  FUNCTIONS 

125 

126  $( - — - - - -  process  support  operations  - - - - 

127 

128  $(Note:  the  function  FCAcreateOpenTable  is  sufficient  to  support  PROspawn, 

129  and  the  function  FCAcloseAll  is  sufficient  to  support  PROlnvoke. 

130  The  other  support  operations  are  listed  here.) 


132  OFUN  FMIforkSupport(seld  parent,  child); 


S(FMlforkSupport) 


$(This  function  creates  a  new  open  table,  "child,"  and  copies  all  open 
from  "parent"  into  it) 

EXCEPTIONS 

KEfndExclusl veFile : 

EXISTS  openDescrlptor  od 

:  omExclusl ve  INSET  FCAopenEntry( parent ,  od).openMode; 

ASSERTIONS 

FCAopenTableExlsts(parent ) ; 

NOT  FCAopenTableExlsts(chlld); 

EFFECTS 

'FCAopenTableExlst  s ( chi Id )  -  TRUE; 

FORALL  openDescrlptor  od 

;  'FCAopenEntry(chlld,  od)  ■  FCAopetfintry (parent ,  od); 


147  OFUN  FMIreleaseSupport(seid  pSeid); 


$ ( FCAre leaseSuppor t ) 


148 

149 

150 

151 

152 

153 

154 

155 

156 

157 

158 

159 

160 
161 
162 

163 

164  $< 


$(  Closes  all  the  open  objects  of  an  open  object  table  and  deletes  the 
table) 

ASSERTIONS 

FCAope  nTableExl s t  s ( pSel d ) ; 

EFFECTS 

FORALL  openDescrlptor  od  |  FCAopenEntry(pSeid,  od)  ?; 
seid  fSeid  *  FCAopenEntry(pSeld,  od).openSeld 
:  'FCAopenEntry(pSeld,  od)  ■  ? 

AND  (openCount(fSeld)  ■  1 

AND  FCAinfo(fSeid).linkCount  -  0 
AND  SENseidType(fSeld)  ■  tFile) 

'  ->  'FCAinfo(fSeid)  -  ? 

AND  (FORALL  INTEGER  1  :  'FCAfileData(fSeid.  1)  -  ?) 
AND  'TIIinfo(fSeld)  -  ?; 

' FCAopenTableExlst s (pSeid)  ■  FALSE; 


—  link  and  unlink  operations 


165 

166  OFUN  FCAlink(seid  pSeid,  fSeid);  $(FCAlink) 

167  $(lncrement8  the  link  count  of  an  existing  file.  Mandatory  access  Is 

168  required,  and  the  process  nust  have  the  privilege  to  link.  The  file 
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169  system  must  not  be  mounted  In  read  only  mode) 

170  DEFINITIONS 

171  seld  f  IS  lndir(fSeld); 

172  globalData  fs  IS  FCAlnfo(f): 

173  EXCEPTIONS 

174  KEfcaBadPriv:  NOT  SMXhasPrl v(pSeld.  prlvLink): 

175  KEf caNotThere :  fs  -  ?  OR  NOT  SMXf low(pSeid.  f,  {daRead,  daWrite}); 

176  KEfcaNotFlle:  SENseidType(f )  tFile; 

177  KEfcaReadOnly:  lsReadOnly(f ) ; 

178  ASSERTIONS 

179  FCAopenTableExlsts(pSeld); 

180  EFFECTS 

181  'FCAinfo(f) 

182  -  STRUCT (fs. 11 nkCount  +  1.  fs.tlmeLastMod ,  fs. subtype.  fs.openAtCrash) ; 

183 

184  OFUN  FCAunllnk(seld  pSeld,  fSeid);  $(FCAunlink) 

185  $(decrements  the  reference  count  of  an  existing  file.  Mandatory  access  Is 

186  required  and  the  process  nust  have  the  privilege  to  link.  The  file 

187  system  that  the  file  Is  on  must  not  be  mounted  In  read  only  mode.  Note 

188  that  unlinking  can  cause  the  file  to  be  deleted  if  the  link  count  goes 

189  to  zero  and  the  file  Is  not  open  anywhere) 

190  DEFINITIONS 

191  seld  f  IS  lndlr(fSeld): 

192  globalData  fs  IS  FCAinfo(f): 

193  EXCEPTIONS 

194  KEfcaBadpriv:  NOT  SMXhasPrl v(pSeid.  prlvLink): 

195  KEf caNotThere :  fs  »  ?  OR  NOT  SMXf low(pSeid ,  f,  {daRead,  daWrite}); 

196  KEfcaNotFlle:  SENseidType(f )  ”«  tFile; 

197  KEfcaReadOnly:  lsReadOnly(f ) ; 

198  ASSERTIONS 

199  FCAopenTableExlsts(pSeid); 

200  EFFECTS 

201  IF  fs. 11 nkCount  ■  1  AND  openCount(f)  ■  0 

202  THEN  'FCAinfo(f)  -  ? 

203  AND  (FORALL  INTEGER  1  •  'FCAf lleData(f Seld,  1)  -  ?) 

204  AND  'TIIlnfo(fSeld)  -  ? 

205  ELSE  'FCAinfo(f) 

206  -  STRUCT(fs.iinkCount  -  1,  fs.tlmeLastMod.  fs. subtype. 

207  fs.openAtCrash): 

208 

209  $( — - — - — - basic  1/0  operations - ) 

210 

211  VFUN  FCAvReadBlocks(seld  pSeld;  openDescriptor  od;  INTEGER  blockNo,  size; 

212  asyncld  Id)  $(FCAvReadBlocks ) 

213  ->  readResult  rr; 

214  $(the  purpose  of  this  function  Is  to  return  the  reeult  that  FCAreadBlocks 

215  would  return  If  executed) 

216  $(returna  blocks  that  are  read  from  a  given  file,  device,  extent,  or 

217  terminal,  the  object  nust  be  open  for  reading,  the  block  number  and 

218  size  nust  be  within  range  for  the  kind  of  object  specified,  note 

219  that  files,  extents,  and  addressable  devices  are  handled  differently 

220  from  terminals  and  nonaddress able  devices,  with  respect  to  the  data.) 

221  DEFINITIONS 

222  seld  fSeid  IS  FCAopenEntry(pSeid,  od).openSeld : 

223  devlceStruct  d 

224  IS  IF  SENseldType(fSeld)  "  tDevlce  THEN  devlceDataSeld(fSeld) 


r 

—  •  -  -------- 

■ 
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225 

ELSE  IF  SENsei dType ( f Se i d )  INSET  {tFile.  tExtent } 

226 

THEN  STRUCT (TRUE,  512.  32768.  512.  FCAfileSize(fSeid)-l) 

227 

ELSE  STRUCT (FALSE ,  1,  255,  1  0):  $(tTerminal) 

228 

EXCEPTIONS 

229 

KEfcaBadOd:  FCAopenEntry(pSeid,  od)  •  ?; 

230 

KEfci.  adType:  SENsei dType(fSeid)  *  tSubtype: 

231 

KEfcaNotReadable:  NOT  omRead  INSET  FCAopenEnCry(pSeid,  od ) . openMode : 

232 

KEf caTermLocked : 

233 

SENsei dType (fSeid)  “  tTerminal  AND  NOT  isCurrentPath(fSeid): 

234 

KEfcaBadSize: 

i. 

235 

NOT  size  INSET  {d. minRequest  . .  d. maxRequest } 

i 

236 

OR  (size  MOD  d. modSize)  ~m  0: 

y.  - 

— 

237 

KEfcaBadBlockNo:  NOT  blockNo  INSET  {0  ..  d.maxBlockNo); 

238 

KEf caEndOf File: 

239 

d. addressable  AND  blockNo  +  size/d.  modSize  >  d.maxBlockNo; 

240 

ASSERTIONS 

V 

241 

FCAopenTableExlsCs(pSeid) ; 

rC 

242 

DERIVATION 

243 

LET  INTEGER  si  INSET  {0  ..  size/d. modSize} 

244 

IN  STRUCT(IF  d. addressable 

i 

245 

THEN  VECTOR (FOR  i  FROM  blockNo  TO  blockNo  +  si  -  1 

t  > 

246 

:  FCAf ileData(f Seid,  i)) 

w* 

247 

ELSE  VECTOR(FOR  i  FROM  1  TO  si  $(d. modSize  -  1) 

r- 

248 

•  VECTOR(FCAinputStream(fSeid)[i ])) 

■k 

249 

SOME  loStatus  los  1  TRUE): 

250 

t*' 

251 

OVFUN  FCAreadBlocks(seld  pSeld;  openDescriptor  od;  INTEGER  blockNo,  size; 

252 

asyncld  id) 

• 

253 

->  readResult  rr;  $(FCAreadB locks) 

w 

254 

$ (LR  —  needs  semantics  for  asynchronous  I/O) 

255 

$(retums  blocks  that  are  read  from  a  given  file,  device,  extent,  or 

256 

terminal,  the  object  oust  be  open  for  reading,  the  block  number  and 

257 

size  must  be  within  range  for  the  kind  of  object  specified,  note 

258 

that  files,  extents,  and  addressable  devices  are  handled  differently 

259 

from  terminals  and  nonadd res sable  devices,  with  respect  to  the  data.) 

260 

DEFINITIONS 

— 

261 

seid  fSeid  IS  FCAopenEntry(pSeid ,  od).openSeld; 

262 

devlceStruct  d 

263 

IS  IF  SENsei dType (fSeid)  ■  tDevice  THEN  devlceDataSeld(f Seid) 

M 

264 

ELSE  IF  SENsei dType (fSeid)  INSET  {tFile,  tExtent} 

265 

THEN  STRUCT (TRUE .  512,  32768,  512,  FCAfileSize(fSeid)-I ) 

266 

ELSE  STRUCT (FALSE ,  1,  255,  1  0);  $(tTerminal ) 

267 

readResult  rrl  IS  FCAvReadBlocks(pSeld,  od,  blockNo,  size,  id); 

268 

EXCEPTIONS 

269 

EXCEPTIONS  OF  FCAvReadBlocks(pSeld,  od,  blockNo,  size,  id); 

270 

ASSERTIONS 

W 

271 

FCAopenTableExiBts(pSeid) ; 

272 

EFFECTS 

273 

rr  ■  rrl; 

274 

NOT  d. addressable 

275 

■>  'FCAinputStream(fSeid) 

276 

-  VECTOR (FOR  i  FROM  LENGTH(rr 1 . data)  +  1 

277 

TO  LENGTH(FCAlnputStream(fSeld)) 

278 

:  FCAinputStream(f Seid) [1 J) ; 

279 

- 

280 

OVFUN  FCAwrlteBlocks(seid  pSeld;  openDescriptor  od;  INTEGER  blockNo; 
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281 

282 

283 

284 

285 

286 
287 
283 

289 

290 

291 

292 

293 

294 

295 

296 

297 

298 

299 

300 

301 

302 

303 

304 

305 

306 

307 

308 

309 

310 

311 

312 

313 

314 

315 

316 

317 

318 

319 

320 

321 

322 


$ (FCAwri teBlocks ) 


VECTOR  OF  fileBlock  vfb;  asyncld  Id) 

->  ioStatus  ios: 

$(LR  —  needs  asynchronous  I/O) 

$(writes  the  contents  of  a  vector  of  file  blocks  onto  the  object  mentioned. 

the  data  oust  correspond  to  the  parameters  of  the  openable  object.) 
DEFINITIONS 

seld  fSeld  IS  FCAopenEntry(pSeld ,  od ) . openSeld ; 
globalData  fs  IS  FCAlnfo(fSeld) ; 
secureEntityType  type  IS  SENseidType(fSeld) ; 
deviceStruct  d 

IS  IF  type  -  tDevlce  THEN  devlceDataSeld(fSeld) 

ELSE  IF  type  INSET  {tFlle,  tExtent} 

THEN  STRUCT(TRUE,  512,  32768.  512.  FCAfileSize(fSeld)) 

ELSE  STRUCT (FALSE,  1.  255,  1  0): 

EXCEPTIONS 

KEfcaBadOd:  FCAopenEntry(pSeld,  od)  ■  ?; 

KEfcaNotWritable:  NOT  onWrlte  INSET  FCAopenEntry(pSeld,  od ) . openMode ; 
KEfcaTerni,ocked:  type  ■  tTerminal  AND  NOT  lsCurrentPath(fSeld) ; 
KEfcaBadRequest : 

NOT  LENGTH(vfb)  INSET  {d . mlnRequest  ..  d. maxRequest } 

OR  (LENGTH(vfb)  MOD  d.modSize)  *»  0; 

KEf caBadB lockNo :  NOT  blockNo  INSET  {0  ..  d.maxBlockNo}; 

KEfcaOverf low:  d. addressable  AND  type  ”■  tFlle 
AND  blockNo  +  LENGTH (vfb)  >  d.maxBlockNo; 

EFFECTS 

los  *  (SOME  IoStatus  losl  |  TRUE); 

EXISTS  INTEGER  slzel  INSET  {0  ..  LENGTH (vfb)} 

:  IF  d. addressable 

THEN  FORALL  INTEGER  1 

:  'FCAflleData( fSeld.  1) 

-  (IF  NOT  1  INSET  {blockNo  ..  blockNo  +  slzel  -  1} 

THEN  FCAfileData( fSeld,  1) 

ELSE  vfb[l  -  blockNo  +1]) 

ELSE  'FCAoutputStream(fSeld) 

-  VECTOR (FOR  1  FROM  1 

TO  LENGTH (FCAou t pu t S trea m( f Sel d ) )+LENGTH ( vf b ) 
■  IF  1  <-  LENGTH ( vfb ) 

THEN  vfbllHl] 

ELSE  FCAout putStream(f Seld) [1+LENGTH( vfb) ] ) ; 


$( - - general  device  manipulation 


■) 


323  VFUN  FCAvDevlceFunctlon(seld  pSeld;  openDescrlptor  od;  lOfunctlon  f; 

324  VECTOR  OF  INTEGER  args:  asyncld  Id) 

325  ->  IoStatus  status;  $(FCAvDevlceFunctlon) 

326  $(the  purpose  of  this  function  Is  to  return  the  value  that  FCAdeviceFunetion 

327  would  return  If  It  were  executed  In  a  given  state) 

328  $(the  specification  of  this  function  Is  device-dependent,  but  may  be 

329  filled  In  at  a  later  time) 

330  DEFINITIONS 

331  seld  dSeld  IS  FCAopenEntry(pSeld,  od). openSeld; 

332  EXCEPTIONS 

333  KEfcaNotThere:  FCAopen£ntry(pSeld,  od)  ■  ?: 

334  KEf caBadDe vice:  NOT  SENseldType(dSeld)  INSET  {tDevlce,  tTerminal}; 

335  KEfcaNoOwner:  Tllinf o(dSeld). owner  ”■  Till nfo(pSeld). owner; 

336  ASSERTIONS 
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337  FCAopenTableExists(pSeld) : 

338  DERIVATION 

339  SOME  loStatus  los  I  TRUE; 

340 

341  OVFUN  FCAdeviceFunctlon(seid  pSeld;  openDescriptor  od;  IOfunction  f; 

342  VECT0R0F  INTEGER  args;  asyncld  id) 

343  ->  loStatus  status;  $(FCAdeviceFunction) 

344  $(the  specification  of  this  function  Is  device-dependent,  but  nay  be 

345  filled  In  at  a  later  tine) 

346  EXCEPTIONS 

347  EXCEPTIONS  OF  FCAvDeviceFunction(pSeld,  od,  f,  args,  id); 

348  ASSERTIONS 

349  FCAopenTableExlsts(pSeid) ; 

350  EFFECTS 

351  $(the  state  of  the  device  somehow  changes,  and  the  result  Is  returned  via 

352  the  lo  status) 

353  status  *  FCAvDeviceFunction(pSeid ,  od,  f,  args,  id); 

354  TRUE; 

355 

356  OFUN  FCAterminalLock(seid  pSeld,  devSeid);  $(FCAterminalLock) 

357  $(sets  the  current  terminal  In  the  group  to  be  "devSeid".  The  requesting 

358  process  must  have  the  privilege  to  lock  terminals) 

359  EXCEPTIONS 

360  KEfcaNot Terminal :  SENs el dType( devSeid)  “■  tTerminal; 

361  KEfcaNoPrl v:  NOT  SMXhasPri v(pSeid ,  pri vTerminalLock) ; 

362  KEfcaNot There:  FCAinfo(devSeid)  ■  ?; 

363  ASSERTIONS 

364  FCAopenTableExlsts(pSeld); 

365  EFFECTS 

366  LET  terminalGroup  t  I  devSeid  INSET  FCAtermlnalPathSet (t ) 

367  IN  'FCAcurrentPath(t)  *  devSeid; 

368 

369  $( - - - -  mounting  and  unmounting  operations - - - ) 

370 

371  OFUN  FC Amount (s eld  pSeld,  dev,  leaf,  root;  BOOLEAN  readonly);  $(FCAmount) 

372  $(perforras  the  logical  mounting  of  a  file  system  from  an  extent.  The 

373  semantics  are  described  In  the  general  commentary  In  the  FCA 

374  specification) 

375  DEFINITIONS 

376  fileSystem  flleSys  IS 

377  FCAext en tToF 11 eSys ( VECTOR ( FOR  1  FROM  1  TO  FCAfileSize(dev) 

378  :  FCAfileData(dev,  1)), 

379  root); 

380  $(the  file  system  produced  by  the  data  on  the  extent) 

381  f ileSystemEntry  fse(seid  f)  IS 

382  SOME  fileSystemEntry  fsel  I  fsel. fileSeid  ■  f; 

383  $(the  entry  In  the  file  system  with  a  given  seld) 

384  EXCEPTIONS 

385  KEfcaBadPriv:  NOT  SMXhasPri v(pSeid,  prlvMount); 

386  KEfcaNoLeaf:  FCAinfo(leaf )  -  ? 

387  OR  NOT  SMXflow(pSeld,  leaf.  {daRead,  daWrite}): 

388  KEfcaNoDev:  FCAinfo(dev)  -  ? 

389  OR  NOT  SMXflow(pSeld,  dev,  {daRead,  daWrite}); 

390  KEfcaBadDal:  NOT  SMXdap(pSeld ,  dev,  {daWrite}); 

391  K£fcaBadDa2:  NOT  SMXdap(pSeld.  leaf,  {daWrite}); 

392  KEfcaNoFllel :  SENseldType (leaf )  tFlle; 
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393  KEfcaNoFlle2:  SENseldType(rooc)  tFlle; 

394  KEfcaNoExtent :  SENseldType(leaf )  tExtent ; 

395  KEf calnUse : 

396  SENseidNsp(root)  ■  SENseidNsp(FCArootSeld) 

397  OR  (EXISTS  seld  devSeid 

398  :  SENseldNsp(FCAmountTable(devSeid).rootSeid) 

399  -  SENseidNsp(root)) ; 

400  KEfcaNoOwner :  Tlllnfo(pSeld) .owner  THlnfo(dev). owner: 

401  KEfcaFileOpen:  openCount(dev)  >  0; 

402  KEfcaDevOpen:  openCount(leaf )  >  0: 

403  RES0URCE_ERR0R; 

404  ASSERTIONS 

405  FCAopenTableExlsCs(pSeld) ; 

406  EFFECTS 

407  'FCAmountTable(dev) 

408  ■  STRUCT(leaf.  root,  readonly,  Tlllnf o(dev),  FCAlnfo(dev)) ; 

409  'FCAlnfo(dev)  -  ?; 

410  FORALL  INTEGER  1  :  'FCAf 1 leData(dev,  1)  -  ?; 

411  'TIIinfo(dev)  -  ?: 

412  FORALL  seld  f  |  fse(f)  ? 

413  :  'FCAinfo(f)  ■  fse(f).gl 

414  AND  (FORALL  INTEGER  1  INSET  {1  ..  LENGTH(fse(f ) .fl leData) } 

415  :  'FCAf lleData( f .  1  -  1)  -  fse(f ).flleData[l )) 

416  AND  'TIIlnfo(f)  -  fse(f).tll; 

417 


418  0FUN  FCAunmount (sel d  pSeld,  devSeid);  $(FCAunmount) 

419  $ (performs  logical  unmounting  of  a  file  system.  Restores  the  extent 

420  so  that  it  can  be  accessed) 

421  DEFINITIONS 

422  mountTableEntry  rate  IS  FCAmountTable (devSeid); 

423  INTEGER  fsNsp  IS  SENseldNsp(mte. rootSetd); 

424  flleSystem  fs  IS 

425  {flleSystemEntry  fse 

426  |  LET  seld  fSeld  I  SENseidNsp(f Seld)  -  fsNsp  AND  F^Alnf o(fSeld)  ? 

427  IN  fse  -  STRUCT(f Seld,  FCAlnfo(fSeld).  Tlllnf o(f Seld ) . 

428  VECT0R(F0R  1  FROM  l  TO  FCAflleSize(fSeid) 

429  :  FCAf 1 leData(fSeld,  1  -  1)))}; 

430  $(  the  state  of  the  file  system  to  be  unmounted) 

431  VECTOR  OF  fileBlock  extData 

432  IS  SOME  VECTOR  OF  fileBlock  vfb 

433  I  FCAextentToFlleSys(vfb, 

434  SOME  seld  s 

435  |  EXISTS  flleSystemEntry  fse  INSET  fs 

436  :  s  ■  fse.fileSeid) 

437  ■  fs; 

438  $(given  the  state  of  the  file  system,  the  extent  that  is  equivalent  to 

439  it) 

440  EXCEPTIONS 

441  KEfcaBadPriv:  NOT  SMXhasPri v(pSeld,  privMount); 

442  KEfcaNoDevlce :  mte  ■  ? 

443  OR  NOT  SMXf low(pSeid ,  devSeid,  {daRead,  daWrite}): 

444  KEfcaNoOwner :  Tllinfo(pSeid). owner  “  Tlllnfo(devSeid). owner; 

445  KEfcaBadDa:  NOT  SMXdap(pSeid,  devSeid,  {daWrite}); 

446  KEfcaOpenFiles : 

447  EXISTS  seld  fSeld  |  SENseldNsp(fSeld)  ■  fsNsp  :  openCount (fSeld)  >  0; 

448  ASSERTIONS 
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449  FCAopenTableExlsts(pSeid) . 

450  EFFECTS 

451  'FCAlnf o(devSel d)  m  mte.devGl; 

452  'TIIinfo(devSeid)  -  mte.devTli: 

453  FORALL  INTEGER  i  INSET  {1  ..  LENGTH (exc Data)} 

454  :  'FCAfileData(devSeid,  1  -  1)  -  extData[i]; 

455  $(the  device's  state  "comes  back") 

456  FORALL  seld  fSeld  I  SENseldNsp(fSeld)  -  fsNsp 

457  :  'TIIlnfo(fSeid)  -  ?  . 

458  AND  'FCAlnfo(fSeid)  -  ? 

459  AND  (FORALL  INTEGER  1  •  'FCAfl leData(f Seld,  1)  - 

460  $(the  state  of  all  files  on  the  file  system  "disappears 

461 

462 

463  END  MODULE 
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MODULE • 
CONTENTS : 

TYPE  ■ 

LAST  CHANCED- 


ker. specs  (version  2.21) 
Kernel  Calls 
SPECIAL. specif icat ions 
10/17/79,  18:56:31 


MACmaxVAddr} : 


1  S(  " 

2 
3 
A 

5  ") 

6 

7 

8  MODULE  ker 

9 

10 

1 1  TYPES 

12 

13  $(frora  mac) 

1A  vAddrType-  (0  .. 

15 

16  $(from  smx) 

17  nonDisType:  STRUCT  0F( 

18  INTEGER  securityLevel ;  SET  OF  securityCat  securi tyCatS ; 

19  INTEGER  integrityLevel;  SET  OF  integrityCat  i ntegri tyCatS ) : 

20  daType:  SET  OF  daMode; 

21  modeStruct:  STRUCT  0F(daType  ownerMode,  groupMode,  allMode); 

22  tiiStruct:  STRUCT  0F(nonDisType  nd; 

23  modeStruct  da,  INTEGER  owner,  group:  SET  OF  privType  priv); 

2A 

25  $ ( FROM  pvm) 

26  virtualLocation: 

27  STRUCT  OF(domainType  domain;  spaceType  idSpace;  vAddrType  vAddr); 

28  globalData: 

29  STRUCT  OF (BOOLEAN  sharable,  swappable,  sticky,  memAdvise ,  executable; 

30  direction  growth); 

31  segStatus:  STRUCT  0F(globalData  gl ;  INTEGER  size); 

32  pBlock:  STRUCT_0F( virtualLocation  vloc;  INTEGER  size); 

33 

3A  $(FROM  fca) 

35  fileStatus:  STRUCT  OF (INTEGER  nBlocks,  linxCount ,  timeLastMod;  seid  subtype; 

36  BOOLEAN  openForWrite ,  openAtCrash) ; 

37  asyncld:  CHAR; 

38  ioStatus:  STRUCT  OF (INTEGER  devlndep,  devDep): 

39 
A0 


$(from  pro) 


{0  ..  PROmaxPiLevel) ;  $ (pseudo  interrupt  level  range) 

STRUCT  0F( BOOLEAN  pending; 
plLevelType  oldPll; 

INTEGER  old Pc; 

INTEGER  oldPs: 

INTEGER  parameter; 

INTEGER  newPc; 

INTEGER  newPs); 

A9  piVectorType:  {VECTOR  OF  piEntryType  piv  |  LENGTH(piv)  ■  PROmaxPiLevel  +  1}- 

50  ipcqType-  {VECTOR  OF  ipcMessageType  zz  |  LENGTH(zz)  <*  IPCmaxMessageCount } : 

51  IpcTaxtType  {VECTOR  OF  CHAR  vc  I  LENGTH(vc)  ■  IPCmaxMessageLength } : 

52  ipcMessageType:  STRUCT  0F(seid  sender;  ipcTextType  text); 

53  processStateType :  STRUCT  0F( seid  self; 

5A  seid  parent; 

55  INTEGER  family; 

56  INTEGER  realUser; 


A1  plLevelType: 
A2  piEntryType: 
A3 
AA 

45 

46 

47 

48 
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I 


h 


57 

INTEGER 

realGroup; 

58 

INTEGER 

pc; 

$ (program  counter) 

59 

INTECER 

ps ; 

$ (processor  status) 

60 

piLevelType 

pll; 

61 

plVectorType 

pi  v; 

62 

lpcqType 

ipcq; 

63 

INTEGER 

advPrio; 

$(advisory  priority) 

64 

INTEGER 

tl  merAlarm; 

$( one -zero  crossing  •> 

pi> 

65 

INTEGER 

super vis orTi ml ng; 

66 

INTEGER 

userTlming; 

67 

BOOLEAN 

timTog) : 

$(tlmer  toggle  TRUE  is 

ON) 

68 

69 

70 

EXTERN ALREFS 

71 

72 

FROM  mac : 

73 

INTEGER  MACmaxVAddr; 

74 

75 

FROM  smx: 

76  seld  '  DESIGNATOR; 

77  privType  { 


Tj 

t  , 

78 

prl vFileUpdateStatus . 

privLink,  prlvLockSeg. 

t- 

_  79 

pri vModl fyPri v. 

pri  vMount , 

l 

80 

prl vSetLevel . 

prl vStickySeg.  privTerminalLock, 

l 

5 

81 

prl vViolSimpSecurity , 

prl vViolStarSecurlty , 

' 

82 

privViolSimpIntegrity , 

prlvViolStarlntegrlty, 

83 

prl vVlolDiscrAccess. 

prlvSignal,  prl vWalkPTable, 

]• 

84 

prlvHalt , 

prl vKernelCall ,  prl vViolCompartments , 

85 

privReallzeExecPermisslons}; 

j 

—  86  daMode : 

{daRead,  daWrite,  daExecute}; 

87 

88 

89 

90 

91 

92 


securityCat:  DESIGNATOR; 
integrityCat :  DESIGNATOR; 

domalnType :  {userDomaln,  supervlsorDomain}; 


INTEGER  size; 


FROM  pvm: 

segDes:  DESIGNATOR; 

93  spaceType-  {ISpace,  dSpace}; 

94  direction:  {up.  down}: 

95  OVFUN  PVMbulld(seld  pSeld;  segStatus  ss;  modeStruct  ms; 

96  vlrtualLocatlon  vl) 

97  ->  STRUCT  OFCseld  segSeld;  segDes  segd )  result; 

98  OFUN  PVMdes troy (seld  pSeld;  segDes  segd); 

99  VFUN  PVMgetSegmentStatus(seld  pSeld,  segSeld)  ->  segStatus  st; 

100  OFUN  PVMsetSegmentStatus(seid  pSeld,  segSeld;  segStatus  st); 

101  OFUN  PVMreraap(seld  pSeld;  segDes  In;  vlrtualLocatlon  vl ;  daType  da; 

102  BOOLEAN  vlFlg,  daFlg;  segDes  out;  INTEGER  outsize; 

103  BOOLEAN  osFlg); 

104  OVFUN  PVMrendezvous(seld  pSeld,  segSeld;  vlrtualLocatlon  vl;  daType  da) 

105  ->  segDes  segd; 

106 

107  FROM  fca : 

108  openDescrlptor :  DESIGNATOR: 

109  openModes :  {omRead.  omWrlte,  omExclusl ve } ; 

110  IOfunctlon:  {rewind,  etc}; 

111  OFUN  FCAclose(seld  pSeld;  openDescrlptor  od); 

112  OVFUN  FCAcreate(seld  pSeld,  nspSeid;  modeStruct  ms;  openDescrlptor  stCap) 


113  ->  STRUCT  OF(seid  fSeid;  openDescrlptor  od)  result: 

114  OVFUN  FCAopen(seld  pSeld,  oSeid;  SET  OF  openModes  on:  openDescrlptor  stCap) 

115  ->  openDescrlptor  od; 

116  VFUN  FCAgetFlleStatus(seld  pSeld,  fSeid)  ->  flleStatus  fst; 

117  OFUN  FCAsetFlleStatus(seld  pSeld,  fSeid;  flleStatus  newf st ) ; 

118 

119  FROM  f  ml  • 

120  OFUN  FCAllnk(seid  pSeld.  fSeid): 

121  OFUN  FCAmount(seld  pSeld,  dev,  leaf,  root;  BOOLEAN  readonly); 

122  OFUN  FCAterndnalLock(seid  pSeld.  devSeid); 

123  OFUN  FCAunllnk(seld  pSeld,  fSeid); 

124  OFUN  FCAunmount (seld  pSeld,  devSeid); 

125 

126 

127  FROM  pro: 

128  INTEGER  IPCmaxMessageCount ; 

129  INTEGER  IPCmaxMessageLength ; 

130  INTEGER  PROmaxPILe vel ; 

131  OVFUN  PROfork(seld  pSeld)  ->  seld  childSeid; 

132  VFUN  PROgetProcessStatus(seld  pSeld,  getSeld)  ->  processStateType  ps; 

133  OFUN  PROinterruptRetum(seld  pSeld); 

134  OFUN  PRO Invoke (seld  pSeld,  immSeld;  segDes  arg); 

135  OFUN  PROnap(seid  pSeld;  INTEGER  tlmeOut); 

136  OFUN  PROpost(seld  pSeld,  receiver;  BOOLEAN  pseudolnt ;  IpeTextType  msg); 

137  OVFUN  PROrecel veCseld  pSeld;  INTEGER  tlmeOut)  ->  IpeMessageType  msg; 

138  OFUN  PROreleaseProc(seld  pSeld.  rSeld); 

139  OFUN  PROsetProcessStatus(seld  pSeld,  procSeld;  processStateType  ps); 

140  OFUN  PROslgnal (seld  pSeld,  procSeld;  INTEGER  slgVal); 

141  OVFUN  PROspawn(seid  pSeld,  immSeld;  segDes  arg)  ->  seld  childSeid; 

142  VFUN  PROwalkProcessTable(seid  pSeld;  INTEGER  n)  ->  seld  rSeld; 

143 

144  FROM  lev: 

145  VFUN  LEVgetOb jectLevel (seld  pSeld,  obJSeld)  ->  tliStruct  level; 

146  OFUN  LEVsetOb jectLe vel (seld  pSeld,  objSeid;  tliStruct  level); 

147 

148  FROM  spf: 

149  SPFfunctionType:  {syncSPF,  la*nSegSPF,  sysRaltSPF,  levelSetSPF} ; 

150 

151  FROM  pbl : 

152  OFUN  PBLdevlceFunctlon(seid  pSeld;  openDescrlptor  od;  IOfunctlon  f; 

153  pBlock  arguments,  status;  asyncld  Id); 

154  OVFUN  PBLreadBlock(seld  pSeld;  openDescrlptor  od;  INTEGER  blockNo: 

155  pBlock  duFlle;  asyncld  as) 

156  ->  STRUCT  OF (INTEGER  bytesRead;  loStatus  errst)  result: 

157  OFUN  PBLspeclalFunctlon(seld  pSeld;  SPFfunctionType  fn;  pBlock  parm); 

158  OFUN  PBLwrlteBlock(8eld  pSeld;  openDescrlptor  od;  INTEGER  blockNo; 

159  pBlock  duFlle;  asyncld  as): 

160 
161 

162  FUNCTIONS 

163 

164  $(Vlsible  Kernel  Functions  In  Alphabetical  Order) 

165 

166  OVFUN  K  bulld_segment (segStatus  ss;  modeStruct  ms;  INTECER  size; 

167  vlrtualLocatlon  vl) 

168  [seld  pSeld]  ->  STRUCT  0F(seld  segSeld;  segDes  segd)  result; 
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169  $(K  build  segment) 

170  EXCEPTIONS 

171  EXCEPTIONS  OF  PVMbuild(pSei d.  ss ,  ms,  size,  vl); 

172  EFFECTS 

173  resulc  ■  EFFECTS  OF  PVMbulld(pSeid,  as,  ms,  size,  vl): 

174 

175  OFUN  K  close(openDescrlpCor  od)(seid  pSeld];  $(K  close) 

176  EXCEPTIONS 

177  EXCEPTIONS  OF  FCAclose(pSeid,  od); 

178  EFFECTS 

179  EFFECTS  OF  FCAclose(pSeid ,  od); 

180 

181  OVFUN  K  create(seid  nspSeid;  modeStruct  ms;  openDescriptor  stCap)[seid  pSeid] 

182  ->  STRUCT  0F(seid  fSeid;  openDescriptor  od)  return;  $(K  create) 

183  EXCEPTIONS 

184  EXCEPTIONS  OF  FCAcreate(pSeid.  nspSeid,  ms,  stCap): 

185  EFFECTS 

186  return  -  EFFECTS  OF  FCAcreate(pSeid.  nspSeid,  ms.  stCap); 

187 

188  OFUN  K  device _function(openDescriptor  od;  IOfunction  f; 

189  pBlock  arguments,  status;  asyncld  id) 

190  [seid  pSeid];  $(K_device  function) 

191  EXCEPTIONS 

192  EXCEPTIONS  OF  PBLdeviceFunction(pSeid,  od.  f,  arguments,  status,  id); 

193  EFFECTS 

194  EFFECTS  OF  PBLdeviceFunction(pSeid,  od ,  f.  arguments,  status,  id); 

195  ,■ 

196  OVFUN  K  fork()(seid  pSeid]  ->  seid  childSeid:  $(K  fork) 

197  EXCEPTIONS 

198  EXCEPTIONS  OF  PROfork(pSeid): 

199  EFFECTS 

200  childSeid  -  EFFECTS  OF  PROfork(pSeid); 

201  $("ChildSeid  is  returned  to  the  (original)  process;  pSeid  (parent  seid) 

202  is  returned  to  the  newly  created  child") 

203 

204  VFUN  K  getfile  status(seld  fSeld)[seld  pSeid]  ->  fileStatus  fst; 

205  $(K_get  file  status) 

206  EXCEPTIONS 

207  EXCEPTIONS  OF  FCAgetFileStatus(pSeid,  fSeid); 

208  DERIVATION 

209  FCAget FileStatus (pSeid,  fSeid); 

210 

211  VFUN  K_get_ob  ject__level(seid  ob jSeid) [seid  pSeid]  ->  tliStruct  otii: 

212  $(K  get  object  level) 

213  EXCEPTIONS 

214  EXCEPTIONS  OF  LEVge t Ob ject Level (pSeid,  objSeid); 

215  DERIVATION 

216  LEVgetOb  ject  Level  (pSeid,  objSeid); 

217 

218  VFUN  K  get_proces8_status(seid  getSeld)[seid  pSeid]  ->  processStateType  ps; 

219  $(K  get  process  status) 

220  EXCEPTIONS 

221  EXCEPTIONS  OF  PROgetProcessStatus(pSeld.  getSeid); 

222  DERIVATION 

223  PR0getProces8Status(pSeid,  getSeid); 

224 
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225  VFUN  K  get  segment  status(seid  segSeid){seid  pSeid]  ->  segStatus  st ; 

226  $ (K  get  segment  status) 

227  EXCEPTIONS 

228  EXCEPTIONS  OF  PVMgetSegmentStatus(pSeid,  segSeid): 

229  DERIVATION 

230  PVMgetSegmentStatus(pSeid,  segSeld); 

231 

232  OFUN  K  Interrupt  return( ) [seid  pSeid];  $(K  interruptreturn) 

233  EXCEPTIONS 

234  EXCEPTIONS  OF  PROlnterruptRetum(pSeid) ; 

235  EFFECTS 

236  EFFECTS  OF  PROinterruptReturn(pSeid); 

237 

238  OFUN  K  invoke(seid  immSeid;  segDes  arg)[seid  pSeid];  $(K  Invoke) 

239  EXCEPTIONS 

240  EXCEPTIONS  OF  PR01nvoke(pSeld,  inmSeid,  arg): 

241  EFFECTS 

242  EFFECTS  OF  PR01nvoke(pSeid.  immSeid,  arg); 

243 

244  OFUN  K  llnk(seid  fSeid)[seid  pSeid];  $(K  link) 

245  EXCEPTIONS 

246  EXCEPTIONS  OF  FCAlink(pSeid,  fSeld); 

247  EFFECTS 

248  EFFECTS  OF  FCAllnk( pSeid.  fSeld); 

249 

250  OFUN  K  mount (seid  dev,  leaf,  root;  BOOLEAN  readOnly)[seid  pSeid]:  $(K_mount) 

251  EXCEPTIONS 

252  EXCEPTIONSOF  FCAmount (pSel d,  dev,  leaf,  root,  readonly); 

253  EFFECTS 

254  EFFECTS  OF  FCAmount ( pSei d ,  dev,  leaf,  root,  readonly); 

255 

256  OFUN  K  nap (INTEGER  timeOut) (seid  pSeid];  $(K_nap) 

257  EXCEPTIONS 

258  EXCEPTIONS  OF  PROnap(pSeid ,  timeOut); 

259  EFFECTS 

260  EFFECTS  OF  PROnap( pSeid,  timeOut): 

261 

262  OVFUN  K  open(seld  oSeid;  SET  OF  openModes  on;  openDescrlptor  stCap) 

263  [seid  pSeid]  ->  openDescrlptor  od;  $(K_open) 

264  EXCEPTIONS 

265  EXCEPTIONS  OF  FCAopen(pSeld,  oSeid,  on,  stCap); 

266  EFFECTS 

267  od  -  EFFECTS  OF  FCAopen(pSeid,  oSeid,  om,  stCap); 

268 

269  OFUN  K  post (seid  receiver;  BOOLEAN  pseudolnt;  IpcTextType  msg)[seld  pSeid]; 

270  '  $(K  post) 

271  EXCEPTIONS 

272  EXCEPTIONS  OF  PROpost(pSeid,  receiver,  pseudolnt,  msg); 

273  EFFECTS 

274  EFFECTS  OF  PR0post( pSeid,  receiver,  pseudolnt,  msg); 

275 

276  OVFUN  K  read _block( openDescrlptor  od;  INTEGER  blockNo;  pBlock  duFile; 

277  asyncld  as) [seid  pSeid] 

278  ->  STRUCT  OF(INTEGER  bytesRead;  ioStatus  errst)  result;  $(K  read  block) 

279  EXCEPTIONS 

280  EXCEPTIONS _0F  PBLreadBlock(pSeld,  od,  blockNo,  duFile,  as); 
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281 

282 

283 

284 

285 

286 

287 

288 

289 

290 

291 

292 

293 

294 

295 

296 

297 

298 


299 
w  300 

301 

302 

-  303 

304 

305 

306 
“  307 

308 

309 
w  310 

311 

312 

313 

314 

315 

316 

■*-  317 

318 

319 

320 

321 

322 

323 

-  324 

325 

326 
_  327 

328 

329 

330 

-  331 

332 

333 

-  334 

335 

336 


EFFECTS 

result  “  EFFECTS  OF  PBLreadBlock(pSeid,  od.  blockNo,  duFile,  as); 

OVFUN  K  rec el  we (INTEGER  tl meOut ) [seld  pSeld]  ->  IpeMessageType  msg; 

$(K  receive) 

EXCEPTIONS 

EXCEPTIONS  OF  PROrecel ve(pSeld.  tlmeOut): 

EFFECTS 

mag  ■  EFFECTS  OF  PROrecel ve(pSeld,  tlmeOut); 

OFUN  K.  release  process(seid  rSeld)[seld  pSeld];  $ (K  release  jprocess) 

EXCEPTIONS 

EXCEPTIONS JDF  PROreleaseProc (pSeld,  rSeid); 

EFFECTS 

EFFECTS  OF  PROreleaseProc (pSeld,  rSeid); 

OFUN  K  release  segment (segDes  segd)[seid  pSeld];  $(K_release_segment) 

EXCEPTIONS 

EXCEPTIONS  OF  PVMdes troy (pSeld,  segd); 

EFFECTS 

EFFECTS  OF  PVMdestroy (pSeld,  segd); 

OFUN  K  remap(segDes  In;  virtual Location  vl;  daType  da;  BOOLEAN  vlFlg,  daFlg; 
segDes  out;  INTEGER  outsize;  BOOLEAN  osFlg)[seld  pSeld]; 

$(K  remap) 

EXCEPTIONS 
EXCEPTIONS  OF 

PVMremap(pSeid,  In,  vl,  da,  vlFlg,  daFlg,  out,  outSize,  osFlg); 

EFFECTS 
EFFECTS  OF 

PVMremap(pSeld,  In,  vl,  da,  vlFlg,  daFlg,  out,  outsize,  osFlg); 

OVFUN  K  rendezvous_segstent (seld  segSeld;  virtual Location  vl ;  daType  da) 

[seld  pSeld] 

->  segDes  segd:  $(K_rendezvous  segment ) 

EXCEPTIONS 

EXCEPTIONS  OF  PVMrendezvous (pSeld.  segSeld,  vl,  da); 

EFFECTS  ' 

segd  -  EFFECTSOF  PVMrendezvous (pSeld,  segSeld,  vl,  da); 

OFUN  K  secure  terminal _lock(seid  devSeld) [seld  pSeldJ; 

$(K  secureterminal  lock) 

EXCEPTIONS 

EXCEPTIONS  OF  FCAtermlnalLock(pSeld,  devSeld); 

EFFECTS 

EFFECTS  OF  FCAtermlnalLock(pSeld,  devSeld); 

OFUN  K_set _flle  status(seld  fS eld;  flleStatus  fst)[seld  pSeld] ; 

$(K  set  file  status) 

EXCEPTIONS 

EXCEPTIONS  OF  FCAsetFlleStatus(pSeid,  fSeld,  fst): 

EFFECTS 

EFFECTS  OF  FCAsetFUeStatus(pSeld,  fSeld.  fst); 

OFUN  K  set  object  level(seld  obJSeld;  tllStruct  level)[seld  pSeld); 

$  (K  set  _ob  ject  level ) 
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337  EXCEPTIONS 

338  EXCEPTIONS  OF  LEVsetOb jectLevel(pSeid,  objSeid,  level): 

339  EFFECTS 

340  EFFECTS  OF  LEVsetOb jectLevel(pSeid,  objSeid,  level); 

341 

342  OFUN  Kset  process  status (seld  procSeld;  processStateType  ps)(seld  pSeld]; 

343  $(K  set  process  status) 

344  EXCEPTIONS 

345  EXCEPTIONS  OF  PROsetProcessStatus(pSeld,  procSeld,  ps): 

346  EFFECTS 

347  EFFECTS jOF  PROsetProcessStatus(pSeid,  procSeld,  ps); 

348 

349  OFUN  Ksetsegment  status (seld  segSeld;  segStatus  st)[seld  pSeid]; 

350  $(K  set  segment  status) 

351  EXCEPTIONS 

352  EXCEPTIONS  OF  PVMsetSegmentStatus(pSeld,  segSeld,  st); 

353  EFFECTS 

354  EFFECTS  OF  PVMsetSegmentStatus(pSeld,  segSeld,  st ) ; 

355 

356  OFUN  K  slgnal(seid  procSeld;  INTEGER  slgVal) [seld  pSeld];  $(K  signal) 

357  EXCEPTIONS 

358  EXCEPTIONS  OF  PROsignaKpSeid,  procSeld.  slgVal); 

359  EFFECTS 

360  EFFECTS  OF  PRO signal (pSeld,  procSeld,  slgVal): 

361 

362  OVFUN  K  spawn(seid  immSeld;  segDes  arg)[seld  pSeld]  ->  seld  chlldSeld; 

363  $ (K  spawn) 

364  EXCEPTIONS 

365  EXCEPTIONS  OF  PROspawn(pSeld ,  ImmSeid,  arg); 

366  EFFECTS 

367  chlldSeld  -  EFFECTS  OF  PROspawn(pSeid,  lumSeid,  arg); 

368 

369  OFUN  K  special  function(SPFfunctlonType  fn;  pBlock  parm)[seid  pSeld]; 

370  $(K  special  function) 

371  EXCEPTIONS 

372  EXCEPTIONS  OF  PBLspeclalFunctlon(pSeid,  fn,  parm); 

373  EFFECTS 

374  EFFECTS  OF  PBLspeclalFunctlon(pSeld.  fn,  parm); 

375 

376  OFUN  K  unllnk(seld  fSeld)[seld  pSeld];  $(K  unlink) 

377  EXCEPTIONS 

378  EXCEPTIONS  OF  FCAunllnk(pSeld,  fSeid); 

379  EFFECTS 

380  EFFECTS  OF  FCAunllnk(pSeid,  fSeid); 

381 

382  OFUN  K  unmount (seld  devSeid)(seld  pSeld];  $(K  unmount) 

383  EXCEPTIONS 

384  EXCEPTIONS  OF  FCAunmount (pSeld ,  devSeld); 

385  EFFECTS 

386  EFFECTS  OF  FCAunmount (pSeld,  devSeld); 

387 

388  VFUN  K  walk  process  table(INTEGER  n)[seld  pSeld]  ->  seld  rSeld; 

389  $(K  walk  process  table) 

390  EXCEPTIONS 

391  EXCEPTIONS  OF  PROwalkProcessTable(pSeld,n); 

392  DERIVATION 
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393  PROwalkProcessTable(pSeid, n) ; 

394 

395  OFUN  K  write  block(openDescriptor  od;  INTEGER  blockNo;  pBlock  duFile; 

396  asyncld  id)[seld  pSeld];  $(K  write  block) 

397  EXCEPTIONS 

398  EXCEPTIONS  OF  PBLwriteBlock(pSeid,  od,  blockNo,  duFile,  id); 

399  EFFECTS 

400  EFFECTS  OF  PBLwriteBlock(pSeid,  od,  blockNo.  duFile.  id); 

401 

402 

403  END  MODULE 
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MODULE : 
CONTENTS ' 
TYPE- 

LAST  CHANGED- 


lev. specs  (version  2.3) 
System  Levels 
SPECIAL  specifications 
7/17/79.  15-04:04 


MODULE  lev 


$(  This  module  enables  the  centralization  of  the  get  and  set  level  operations 
for  all  modules.  Each  module  maintains  the  type-independent  operation 
of  Its  own  objects,  and  applies  certain  conditions  to  the  getting  and 
setting  of  this  Information.  However,  there  is  only  one  kernel  operation 
for  getting  levels,  and  one  for  setting  levels,  of  all  objects.  The 
operations  are  combined  in  this  module) 

TYPES 

$(from  smx) 

nonDisType :  STRUCT  OF ( 

INTEGER  securltyLevel;  SET  OF  securltyCat  securltyCatS : 

INTEGER  lntegrltyLevel.  SET  OF  IntegrityCat  IntegrltyCatS); 
daType :  SET  OF  daMode ; 

modeStruct:  STRUCT  OF(daType  ownerMode,  groupMode,  allMode); 

til Struct:  STRUCT  OF (nonDisType  nd;  modeStruct  da;  INTEGER  owner,  group; 

SET  OF  prlvType  priv); 

$ (FROM  pvm) 
globalData: 

STRUCT  OF  (BOOLEAN  sharable,  swappable,  sticky,  memAdvise,  executable; 
direction  growth); 

$ (FROM  fca) 

openFlleEntry :  STRUCT  OF (se Id  openSeld;  SET  OF  openModes  openMode): 


EXTERNALREFS 


FROM  smx: 
seld:  DESIGNATOR: 

secureEntltyType:  {tFlle,  tDevlce,  tTermlnal,  tProcess,  tSegment ,  tSubtype, 
tExtent ,  tNull}; 
securltyCat:  DESIGNATOR; 

IntegrityCat:  DESIGNATOR; 

daMode:  {daRead,  daWrlte,  daExecute}; 

prlvType:  { 


48 

prl vFlleUpdateStatus , 

prl vLlnk, 

prl vLockSeg, 

49 

prl vModlfyPrlv. 

prl vMount , 

50 

prl vSet Level, 

prl vStlckySeg, 

prl vTermlnalLock. 

51 

prl  WiolSimpSecurity. 

prl vVlolStarSecurlty, 

52 

prl vViolSl mplntegrl ty , 

prlvViolStarlntegrlty, 

53 

prl vVlo! DlscrAccess , 

prl  vSlgnal, 

prl vWalkPTable . 

54 

prl vHalt , 

prl vKernelCall . 

prl vVlol Compartments , 

55 

prl vReallzeExec Permissions } ; 

VFUN  SENsel dType(seld  s)  ->  secureEntltyType  set; 
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57  VFUN  TIIgetEntityLevel (seld  pS eld,  oSeld)  ->  CllStruct  ntll: 

58  OFUN  TIIsetEntityLeveKseid  pSeld,  oSeld:  tllStruct  ntii); 

59 

60  FROM  pvm: 

61  direction:  {up,  down}: 

62  VFUN  SEGinstanceInfo(seid  s)  ->  globalData  gl ; 

63 

64  FROM  fca : 

65  openDescrlptor :  DESIGNATOR: 

66  openModes-  {omRead,  onWrite,  omExclusi ve}; 

67  VFUN  FCAopenEncry(seid  pSeld;  openDescrlptor  od)  ->  openFlleEntry  oe ; 

68 

69 

70  FUNCTIONS 

71 

72  VFUN  LEVgetOb jectLevel (seld  pSeld,  oSeld)  ->  tiiStruct  otii. 

73  EXCEPTIONS 

74  EXCEPTIONS  OF  TIIgetEntityLeveHpSeid,  oSeld); 

75  DERIVATION 

76  TIIgetEntltyLevel(pSeld,  oSeld): 

77 

78  OFUN  LEVsetOb jectLevel (seld  pSeld,  oSeld;  tiiStruct  otii); 

79  $(LEVset0b jectLevel ) 
SO  DEFINITIONS 

81  secureEntityType  type  IS  SENseidType(oSeid ) : 

82  EXCEPTIONS 

83  EXCEPTIONS  OF  TIIsetEntl tyLevel (pSei d,  oSeld,  otii): 

84  KElevSegEx:  type  *  tSegment  AND  SEGinstanceInfo(oSeid).sharable  *  TRUE: 

85  KElevFilEx: 

86  type  INSET  {tFile,  tDevice,  tSubtype,  tTermlnal ,  tExtent} 

87  AND  (EXISTS  seld  pSedil:  openDescrlptor  od 

88  :  FCAopenEntry(pSeid.  od).openSeid  »  oSeld); 

89  EFFECTS 

90  EFFECTS  OF  TIIsetEntl tyLevel (pSeld ,  oSeld,  otii); 

91 

92 

93  END  MODULE 
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1 

$(" 

MODULE : 

mac. specs  (version  2.4) 

2 

CONTENTS : 

Machi ne 

3 

TYPE' 

SPECIAL,  sped  ficatlons 

4 

LAST  CHANGED' 

6/24/79  19:31:12 

5 

") 

6 

7 

8 

q 

MODULE 

mac 

7 

10 

1  1 

PARAMETERS 

X  1 

12 

INTEGER 

MACmaxVAddr , 

$(  maximum  virtual  address,  also 

maximum  segment  size 

13 

2*16  -  1  on  PDP-11 /70) 

** 

14 

MACmaxOffset , 

$(  maximum  offset  component  of 

virtual  address. 

15 

2*13  -  1  on  PDP-11/70) 

16 

MACmaxReg;  $( 

maximum  memory  mapping  register 

address,  seven  on 

— 

17  PDP-11/70) 

18 

19 

20  ASSERTIONS 

21 

22  MACmaxVAddr  >  0;  MACmaxOffset  >  0:  MACmaxReg  >  0; 

23  MACmaxVAddr  +  1  =*  (MACmaxOffset  +  1)  *  (MACmaxReg  +  1); 

24 

25 

26  FUNCTIONS 

27 

28  VFUN  MACclockO  ->  INTEGER  time: 

29  $(  integer  that  representr  real  time) 

30  INITIALLY  TRUE: 

31 

32  OFUN  MACclocklncrementO  : 

33  $(  invlked  continuously  by  a  separate  abstract  process  — -  the  system  clock) 

34  EFFECTS 

35  'MACclockO  ■  MACclockO  +  1; 

36 

37 

38  END  MODULE 
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1  $("  MODULE.  pbl. specs  (version  2.7) 

2  CONTENTS-  Parameter  Block  Functions 

3  TYPE’  SPECIAL  specifications 

4  LAST  CHANGED:  10/12/79,  14:18:28 

5  ”) 

6 

7 

8  MODULE  pbl 

9 

10  $(  This  module  specifies  the  action  of  getting  arguments  or  putting  results 

11  of  operations  into  the  virtual  memory  of  a  process.  The  part  of 

12  virtual  memory  so  manipulated  is  called  a  parameter  block.  The  need 

13  for  parameter  blocks  comes  about  when  the  length  of  the  data  is  not 

14  constant  for  all  invocations  of  a  given  operation. 

15 

16  To  make  specifications  more  readable,  all  parameter  block  operations  are 

17  specified  in  two  parts.  The  basic  functionality  of  an  operation  is 

18  specified  in  the  module  to  whose  object  the  operation  refers,  e.g., 

19  the  basic  specification  of  readBlock  comes  from  the  fmi  module.  The 

20  parameter  block  manipulation,  along  with  appropriate  data  conversion, 

21  is  specified  here.  This  decomposition  removes  the  issue  of  parameter 

22  blocks  from  the  basic  specification  of  already  complicated  operations. 

23  The  parameter  block  manipulation  becomes  simple  once  isolated  here.) 

24 

25 

26  TYPES 

27 

28  $(from  mac) 

29  vAddrType:  {0  ..  MACmaxVAddr}: 

30 

31  $(from  pvm) 

32  virtualLocation: 

33  STRUCT  OF (domai nType  domain;  spaceType  idSpace:  vAddrType  vAddr); 

34  pBlock:  STRUCT  OF(virtualLocation  vloc;  INTEGER  size); 

35 

36  $(from  fca) 

37  asyncld-  CHAR; 

38  f lleStatus :  STRUCT  OF (INTEGER  nBlocks,  linkCount,  timeL'astMod ;  seid  subtype: 

39  BOOLEAN  openAtCrash): 

40  ioStatus:  STRUCT  OF ( INTEGER  devDep,  devlnd); 

41  fileBlock:  VECT0R0F  CHAR; 

42  readResult:  STRUCT  0F(VECT0R  OF  fileBlock  data;  ioStatus  errst); 

43 

44  $(from  spf) 

45  SPFargs :  VECTOR  OF  INTEGER; 

46 

47 

48  EXTERNALREFS 

49 

50  FROM  mac : 

51  INTEGER  MACmaxVAddr; 

52 

53  FROM  smx: 

54  seid:  DESIGNATOR; 

55  domainType:  {userDomaln,  supervisorDomain} ; 

56 
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57  FROM  pvm: 

58  spaceType:  {1  space.  dSpace}: 

59  OFUN  PVMstore(seid  pSeld:  pBlock  block:  VECTOROF  INTEGER  vec); 

60  VFUN  PVMretrleve(seid  pSeld;  pBlock  block)  ->  VECTOROF  INTEGER  vec; 

61 

62  FROM  f ca : 

63  openDescriptor :  DESIGNATOR: 

64  IOfunctlon:  {rewind,  etc}; 

65 

66  FROM  fml: 

67  VFUN  FCAvDeviceFunction(seid  pSeld;  openDescriptor  od;  IOfunctlon  f; 

68  VECTOR  OF  INTEGER  args;  asyncld  Id) 

69  ->  loStatus  status; 

70  OVFUN  FCAdeviceFunction(seid  pSeld;  openDescriptor  od;  IOfunctlon  f; 

71  VECTOROF  INTEGER  args;  asyncld  Id) 

72  ->  loStatus  status; 

73  VFUN  FCAvReadBlocks(seid  pSeld;  openDescriptor  od;  INTEGER  blockNo,  size; 

74  asyncld  as)  ->  readResult  rr; 

75  OVFUN  FCAreadBlocks(seid  pSeld;  openDescriptor  od;  INTEGER  blockNo,  size; 

76  asyncld  as)  ->  readResult  rr; 

77  OVFUN  FCAwrlteBlocks(seld  pSeld;  openDescriptor  od;  INTEGER  blockNo; 

78  VECTOR  OF  fileBlock  vfb:  asyncld  Id)  ->  loStatus  ios: 

79 

80  FROM  spf  : 

81  SPFfunctionType:  {syncSPF.  InnnSegSPF,  sysHaltSPF,  levelSetSPF} ; 

82  OFUN  SPFspecialFunctlon(seld  pSeld;  SPFfunctionType  fn:  SPFargs  args); 

83 

84 

85  ASSERTIONS 

86 

87  FORALL  VECTOR  OF  fileBlock  vfb 

88  :  PBLwordsToBlocks(PBLblocksToWords( vfb))  ■  vfb; 

89 

90 

91  FUNCTIONS 

92 

93  $( - data  conversion  functions - - - ) 

94 

95  VFUN  PBLioStatToVec (loStatus  ios)  ->  VECT0R_0F  INTEGER  vi; 

96  HIDDEN: 

97  INITIALLY  vi  ?: 

98 

99  VFUN  PBLblocksToWor d s ( VECT0R_0F  fileBlock  vfb)  ->  VECTOR  OF  INTEGER  vi ; 

100  HIDDEN; 

101  INITIALLY  vi  “■  ?; 

102 

103  VFUN  PBLwordsToBlocks ( VECT0R_0F  INTEGER  vi)  ->  VECTOR  OF  fileBlock  vfb; 

104  HIDDEN ; 

105  DERIVATION  SOME  VECTOR  OF  fileBlock  vfbl  |  PBLblocksToWords( vfbl )  -  vi : 


106 

107  $( — - - - - operations  — - - — — - - — — — - ) 

108 

109  OFUN  PBLdeviceFunction(seid  pSeld;  openDescriptor  od:  IOfunctlon  f: 

110  pBlock  arguments,  status;  asyncld  id); 

111  $(PBLdeviceFunction) 


112  DEFINITIONS 
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VECTOR  OF  INTEGER  lnargs  IS  PVMretrleveCpSeld.  arguments): 
loStatus  st  IS  FCAvDe viceFunctlon(pSeid ,  od.  f.  lnargs.  Id); 
VECTOR  OF  INTEGER  result  IS  PBLioStatToVec(st); 

EXCEPTIONS 

EXCEPTIONS  OF  PVMretrleveCpSeld,  arguments): 

EXCEPTIONS 'OF  FCAdeviceFunctionCpSeid.  od,  f.  lnargs.  Id); 
EXCEPTIONS  OF  PVMstore (pSeld ,  status,  result); 

EFFECTS 

EFFECTS  OF  PVMstore(pSeld.  status,  result): 

st  ■  EFFECTS  OF  FCAdevlceFunctlonCpSel d,  od,  f.  lnargs.  Id): 


S(PBLreadBlock) 


pBlock  duFlle:  asyncld  as) 

->  STRUCT  OF(INTEGER  bytesRead;  loStatus  errst)  result; 

DEFINITIONS 

readResult  rr  IS  FCAvReadBlocksCpSeid,  od,  blockNo,  duFlle.slze,  as); 
VECTOR  OF  INTEGER  IntData  IS  PBLblocksToWordsCrr .data) ; 

EXCEPTIONS 

EXCEPTIONS  OF  FCAreadBlocksCpSeid,  od,  blockNo,  duFlle.slze,  as): 
EXCEPTIONS  OF  PVMstore (pSeld,  duFlle.  IntData): 

EFFECTS 

result  ■  STRUCT(LENGTH(lntData) ,  rr. errst): 

EFFECTS  OF  PVMstore (pSeld,  duFlle,  IntData); 


125 

126 

127 

128 

129 

130 

131 

132 

133 

134 

135 

136 

137  OF UN  PBLspeclalFunctlon(seld  pSeld;  SPFfunctionType  fn;  pBlock  parm); 

138 

139 

140 

141 

142 

143 

144 

145 

146 

147  OVFUN  PBLwrlteBlock(seid  pSeld;  openDescriptor  od;  INTEGER  blockNo; 


$(PBLspeclalFunctlon) 


DEFINITIONS 

SPFargs  args  IS  PVMretrleveCpSeld,  parm); 
EXCEPTIONS 

EXCEPTIONS  OF  PVMretrleveCpSeld.  parm); 

EXCEPTIONS  OF  SPFspeclalFunctlonCpSeld,  fn,  args); 
EFFECTS 

EFFECTS  OF  SPFspeclalFunctlonCpSeld.  fn,  args); 


pBlock  duFlle;  asyncld  Id)  ->  loStatus  los; 

S(PBLwrlteBlock) 

DEFINITIONS 

VECTOR  OF  flleBlock  vfb  IS  PBLwordsToBlocks(PVMretrleve(pSeld,  duFlle)); 
EXCEPTIONS 

EXCEPTIONS  OF  PVMretrleveCpSeld,  duFlle); 

EXCEPTIONS  OF  FCAwrlteBlocksCpSeld,  od,  blockNo,  vfb.  Id); 

EFFECTS 

los  -  EFFECTS _0F  FCAwrlteBlocksCpSeld,  od ,  blockNo,  vfb.  Id); 


148 

149 

150 

151 

152 

153 

154 

155 

156 

157 

158  END  MODULE 


Page  1 


pro. specs 


FrJ  Mar  27  15  -  33  -  31  1981 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

44 

45 

46 

47 

48 

49 

50 

51 

52 

53 

54 

55 

56 


$(" 


") 


MODULE 

CONTENTS 

TYPE 

LAST  CHANGED : 


pro. specs  (version  2.11) 
Process  Operators 
SPECIAL. specifications 
7/17/79,  15  08:33 


MODULE  pro 

$(  this  module  now  contains  the  material  which  was  formerly  In 
the  pro.  lpc  and  pst  modules) 

TYPES 

$(types  supporting  pseudo  interrupts) 

piLevelType:  {PROminPi Level  ..  PROmaxPiLevel } :  $(pseudo  interrupt  level  range) 
piEntryType •  STRUCT  OF (BOOLEAN  pending: 

piLevelType  oldPil; 

INTEGER  old Pc; 

INTEGER  oldPs: 

INTEGER  parameter; 

INTEGER  newPc; 

INTEGER  newPs); 

piVectorType:  {VECTOR  OF  piEntryType  piv  1 

LENGTH(piv)  -  PROmaxPiLevel-PROminPiLevel } : 


$(types  supporting  ipc) 

ipcqType:  {VECTOR  OF  ipcMessageType  zz  I  LENGTH (22)  <»  IPCmaxMessageCount } ; 
i pcMessageType ;  STRUCT  OF(seid  sender;  IpcTextType  text); 
ipcTextType:  {VECTOR  OF  CHAR  vc  |  LENGTH (vc)  *  IPCmaxMessageLength}; 
pendingType:  STRUCT  OF (BOOLEAN  flag;  INTEGER  time); 


$(structure  of  process  status  information) 
processStateType :  STRUCT  OF (seid  self; 

seld  parent; 
INTEGER  family; 
INTEGER  realUser; 
INTEGER  realGroup; 
INTEGER  pc; 

INTEGER  ps; 
piLevelType  pil; 
piVectorType 
ipcqType 
INTEGER 
INTEGER 
INTEGER 


$(program  counter) 

$ (processor  status) 


pi  v: 
ipcq; 
advPrio; 
timer Alarm; 
super  vi s  or Ti mi ng ; 
INTEGER  userTimlng; 
BOOLEAN  timTog)- 


$(advisory  priority) 
$(one-2ero  crossing  ■>  pi) 


$(timer  toggle  TRUE  is  ON) 


$(from  smx) 

nonDisType:  STRUCT  OF ( 

INTEGER  securityLevel .  SET  OF  securityCat  securityCatS : 
INTEGER  integrityLevel ;  SET  OF  IncegrityCat  integrityCatS): 
daType :  SET  OF  daMode ; 

modeStruct:  STRUCT  0F(daType  ownerMode,  groupMode.  allMode); 
tiiS'.ruct:  STRUCT  OF(nonDisType  nd; 
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57  modeStruct  da;  INTEGER  owner,  group;  SET  OF  privType  priv); 

58 

59 

60  PARAMETERS 

61 

62  INTEGER  PROmaxProcessCount ; 

63 

64  INTEGER  PROmtnPiLevel :  $(most  interruptable  pseudo  Interrupt  level) 

65  INTEGER  PROtnaxPi Level ;  $(least  Interruptable  pseudo  Interrupt  level) 

66  INTEGER  plZero, pilPC.plTimer .plSlgnal .piHardwareFault : 

67  $(deflned  pseudo  interrupt  levels) 

68 

69  INTEGER  IPCmaxMessageCount ;  $  (maximum  number  of  ipc  messages  per  process) 

70  INTEGER  IPCmaxMessageLength ;  $(maximum  number  of  characters  per  ipc  message) 

71  IpcMessageType  ti meoutMessage ;  $(disti nguished  message  returned  when  Kreceive 

72  is  satisfied  by  its  timeout) 

73 

74  INTEGER  newPc,  $(program  counter  for  process  invocation  and  spawning. 

75  probably  0) 

76  newPs;  $(processor  state  for  process  invocation  and  spawning. 

77  probably  050000  octal) 

78 

79  seid  processExampleSei d ;  $(any  seid  with  the  tProcess  nsp) 

80  piVectorType  emptyPiv;  $(used  for  state  initialization) 

81  ipcqType  emptylpcq;  $(  ...  ) 

82 

83 

84  DEFINITIONS 

85 

86  BOOLEAN  processExists(seid  pSeld)  IS  PSTprocessState(pSeid )  ?: 

87  seid  newProcessSeid  IS  $(the  process  seid  generation  algorithm) 

88  SENmakeSeid(processExampleSeld,  SOME  INTEGER  I  |  EXISTS  seid  s  : 

89  SENseidType(s)  ■  tProcess 

90  AND  SENseidlndex(s)  -  i 

91  AND  NOT  processExists(s)) ; 

92  INTEGER  processCount  IS 

93  CARDINALITY  {INTEGER  i  |  PSTprocessSlot(i)  ?}); 

94  INTEGER  emptySlot  IS  SOME  INTEGER  i  |  i  INSET  {1  ..  PROmaxProcessCount } 

95  AND  PSTprocessSlot(l )  ■  ?; 

96 

97 

98  EXTERNALREFS 

99 

100  FROM  mac: 

101  VFUN  MACclockO  ->  INTEGER  time; 

102 

103  FROM  smx: 

104  seid:  DESIGNATOR; 

105  secureEntityType :  {tFile,  tDevlce,  tTerminal,  tProcess,  tSegment, 

106  tSubtype .  tExtent,  tNull}; 

107  privType:  { 

108  prlvFlleUpdateStatus,  prlvLlnk,  prlvLockSeg. 

109  pri vModifyPriv.  privMount, 

110  prlvSetFileLevel.  pri vSetSegProcLevel, 

111  pri vStlckySeg,  pri vTerminalLock, 


pri vViolSimpSecurity .  pri vVlolStarSecurlty, 
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113  prlvViolSlmpIntegrlty ;  pri vVlolStarlntegrity , 

114  prl vVlolDlscrAccess ,  prlvSlgnal.  prl vWalkPTable . 

115  privHalt.  pri vKernelCall .  pri vVlolCompartments , 

116  prl vRealizeExecPermissions}: 

117  daMode-  {daRead,  daWrlte,  daExecute}; 

118  securltyCat :  DESIGNATOR; 

119  lntegrltyCat:  DESIGNATOR: 

120  VFUN  SENse Id Index (sel d  s)  ->  INTEGER  Index; 

121  VFUN  SENsel dType(seld  s)  ->  secureEntltyType  t; 

122  VFUN  SENmakeSeid(seid  exampleSeld;  INTEGER  Index)  ->  seld  rSeid; 

123  VFUN  SMXhasPrl v(seld  pSeld;  privType  prlv)  ->  BOOLEAN  b: 

124  VFUN  SMXf low(seld  pSeld.  oSeld;  daType  da)  ->  BOOLEAN  b; 

125  VFUN  SMXdap(seld  pSeld.  oSeld;  daType  da)  ->  BOOLEAN  b; 

126  VFUN  TIIgetEntltyLeveKseid  pSeld,  oSeld)  ->tilStruct  otll; 

127  VFUN  Tllinf o(seid  s)  ->  tllStruct  tils; 

128  OFUN  TIIsetEntltyLevel (seld  pSeld,  oSled;  tllStruct  ntll); 

129 

130  FROM  pvm: 

131  segDes:  DESIGNATOR- 

132 

133  FROM  pvp : 

134  OFUN  PVPforkSupport (seld  parent,  child); 

135  OFUN  PVPinvokeSupport(seid  pSeld.  ImmSeid;  segDes  arg); 

136  OFUN  PVPspawnSupport(seid  parent,  child,  Infield;  segDes  arg): 

137  OFUN  PVPreleaseProcessSupport(sel d  pSeld); 

138 

139  FROM  fca: 

140  OFUN  FCAcreateOpenTable(seid  pSeld):  $(spawn  support) 

141  OFUN  FCAcloseAll (seld  pSeld):  $( Invoke  support) 

142 

143  FROM  f ml  • 

144  OFUN  FMIforkSupport(seld  parent,  child); 

145  OFUN  FMIreleaseSupport(seld  pSeld); 

146 

147 

148  ASSERTIONS 

149  PROmlnPlLevel  <■  plZero.  plZero  <  plIPC:  plIPC  <  plTlmer;  plTlmer  <  piSlgnal: 

150  piSlgnal  <  pi Hardware Fault ;  plHardvareFault  <■  PROmaxPILevel ; 

151  $(  ordering  of  defined  pseudo  Interrupt  levels) 

152  SENseldType(processExampleSeid)  ■  tProcess; 

153  $(proce8sExampleSeld  Is  an  example  of  a  process  seld) 

154  FORALL  INTEGER  1  INSET  {PROmlnPlLevel  ..  PROmaxPILevel}  : 

155  emptyPl v[l ]  -  STRUCT(FALSE . 1 ,0 . 0,0, 0  0) ;  $( definition  of  empty  plv) 

156  LENGTH (emptylpcq)  “  0;  $(emptylpcq  Is  In  fact  empty) 

157  processCount  <■  PROmaxProcessCount ;  $(there  are  never  too  many  processes) 

158 

159 

160  FUNCTIONS 

161 

162  $(  - - process  state  functions - — - —  ) 

163 

164  VFUN  PSTprocessState(seid  pSeld)  ->  processStateType  ps; 

165  HIDDEN; 

166  INITIALLY  ps  -  ?; 

167 

168  VFUN  PSTprocessSlot (INTEGER  n)  ->  seld  ps; 
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169  HIDDEN; 

170  INITIALLY  ps  -  ? : 

171 

172  $ ( - support  for  K  walk  process  table - — - - ) 

173 

174  VFUN  PROwalkProcessTableCseld  pSeid;  INTEGER  n)  ->  seid  rSeid: 

175  EXCEPTIONS 

176  KEproNoPrl v:  NOT  pri vWalkPTable  INSET  TIIinfo(pSeid).pri  v: 

177  KEproBadSlot :  NOT  n+l  INSET  {1  . .  PROmaxProcessCount } : 

178  DERIVATION 

179  PSTprocessSlot(n); 

180 

181  $( - support  for  K  nap  — - — 

182 

183  VFUN  PSTtlmeOfNap(seid  pSeid)  ->  INTEGER  time; 

184  HIDDEN; 

185  INITIALLY  time  -  0- 

186 

187  OFUN  PROnap(seld  pSeid;  INTEGER  timeout); 

188  DELAY  WITH  'PSTti meOfNap(pSeid )  -  MACclockO; 

189  UNTIL  MACclockO  >-  PSTtimeOfNap(pSeid)  +  timeout; 

190 

191  $( - support  for  pseudo  interrupts:  K  signal  and  K  interruptReturn—— -) 

192 

193  OFUN  PROslgnaKseld  sender,  receiver:  INTEGER  signalName) ; 

194  DEFINITIONS 

195  piEntryType  recel versSlgnalEntryO 

196  IS  PSTprocessState(recel ver).pi v[piSignal] : 

197  EXCEPTIONS 

198  KEproNoPriv:  NOT  SMXhasPri v(sender,  privSignal); 

199  KEproNoAccess :  NOT  (processExlsts ( receiver) 

200  AND  SMXf low(sender ,  receiver.  {daWri te.daRead})) ; 

201  KEproUninterruptable:  NOT  PSTprocess State (receiver) .pi 1  >  piSlgnal: 

202  $(lf  falls,  try  once  again  after  a  short  timeout) 

203  ASSERTIONS 

204  processExlsts(sender ): 

205  EFFECTS 

206  'recel versSlgnalEntryO. pending  ■  TRUE; 

207  'recel versSlgnalEntryO. parameter  ■  signalName; 

208  $( PROBLEMS 

209  Design  requires  that  Ksignal  Interrupt  long  kernel  calls.  How  is  this 

210  this  to  be  done?) 

211 

212  OFUN  PROinterruptRetum(seid  pSeid); 

213  $(emulates  rtl  Instruction.  Uses  pseudo  Interrupt  vector  entry  associated 

214  with  current  level  and  restores  pc,  ps,  and  pll  to  their  "old"  values) 

215  DEFINITIONS 

216  piEntryType  currentlnterruptEntry 

217  IS  PSTprocessState(pSeid).piv[PSTprocessState(pSeid).pil]; 

218  EFFECTS 

219  'PSTprocessState(pSeid).pc  ■  currentlnterruptEntry. oldPc ; 

220  'PSTprocessState(pSeid).ps  •  currentlnterruptEntry. oldPs; 

221  'PSTproces8State(pSeid).pil  ■  currentlnterruptEntry. oldPil; 

222 

223  $( - support  for  ipc:  K  post  and  K_receive - ) 

224 


225  OFUN  PROpost(seid  sender , recei ver;  BOOLEAN  postPseudoInterrupt; 

226  ipcTextType  text); 

227  $(DetecCs  security  violation  and  overflow.  Appends  message  to  the  tail  of 

228  the  receivers  ipcq.  Posts  pseudo  Interrupt  in  the  receiver  if  requested 

229  and  if  receiver  has  no  pending  receive) 

230  DEFINITIONS 

231  VECTOR  OF  ipcMessageType  queueQ  IS  PSTprocessState(recei ver) . ipcq; 

232  INTEGER  qLength  IS  LENGTH (queue ( ) ) : 

" 33  EXCEPTIONS 

234  KEproNoRecei ver :  NOT  (processExlsts(recel ver) 

235  AND  SMXf low(sender , recei ver, {daWrite})): 

236  KEproIpcOverf low:  (1+qLength)  >  IPCmaxMessageCount ; 

237  ASSERTIONS 

238  processExists(sender); 

239  LENGTH(text)  <*  IPCmaxMessageLength; 

240  EFFECTS 

241  $ (append  new  message  to  receivers  queue) 

242  'queue () -VECTOR  (FOR  i  FROM  1  TO  1+qLength  : 

243  IF  i  <-  qLength  THEN  queue(){i]  ELSE  STRUCT(sender, text)): 

244  $(post  lpc  pseudo  interrupt  if  required  and  if  receiver  has  no  pending 

245  read) 

246  postPseudoInterrupt  AND  NOT  PSTrecei vePending(recei ver ). flag 

247  ->  'PSTprocessState(recei ver) .pi v[piIPC] .pending  «  TRUE: 

248 

249  VFUN  PSTrecei vePending(seid  pSeid)  ->  pendingType  r; 

250  HIDDEN; 

251  INITIALLY  r.flag  -  FALSE  AND  r.time  -  0; 

252 

253  OVFUN  PROrecei ve(seid  pSeid;  INTEGER  timeout)  ->  IpcMessageType  msg; 

254  $(Returns  the  ipc  message  at  the  head  of  the  queue  if  one  exists  or  arrives 

255  before  the  expiration  of  timeout.  Otherwise  returns  a  distinguished  ipc 

256  message  signifying  timeout) 

257  DEFINITIONS 

258  VECTOR  OF  ipcMessageType  queueO  IS  PSTprocessState(pSeid). ipcq; 

259  INTEGER'  qLength  IS  LENGTH(queueO); 

260  pendingType  pendlngO  IS  PSTrecei vePending(pSeld) ; 

261  DELAY  WITH  'pendlngO  .  flag  -  TRUE;  'pendlngO  .  ti  me  -  MACdockO: 

262  UNTIL  qLength  >  0  OR  MACclockO  >-  pendlngO .  time  +  timeout; 

263  EFFECTS 

264  IF  qLength  >  0  THEN  msg  -  queue()[I]  ELSE  msg  -  timeoutMessage ; 

265  'queueO  -  VECT0R(  FOR  i  FROM  1  TO  qLength-1  :  queueO  [i+1  ]) ; 

266  'pendlngO. flag  -  FALSE; 

267 

268  $( - -  support  for  Kfork - ) 

269 

270  OVFUN  PROfork(seid  parent)  ->  seid  child; 

271  DEFINITIONS 

272  processStateType  p  IS  PSTprocessState (parent); 

273  seid  c  IS  newProcessSeid ; 

274  EXCEPTIONS 

275  KEproTooMany Processes:  processCount+1  >  PROmaxP roc ess Count ; 

276  EXCEPTIONS  OF  FMIforkSupport (parent ,  c); 

277  EXCEPTIONS  OF  PVPforkSupport (parent .  c); 

278  EFFECTS 

279  child  -  c; 

280  'PSTproceBsSlot(emptySlot )  -  child; 
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281  'PSTprocessState(chi Id)  -  STRUCT(child , parent , p. family , 

282  p.realUser.  p.realGroup,  p.pc,  p.ps,  PROmaxPlLevel . 

283  emptyPlv,  emptylpcq.  p.advPrlo,  0,  0.  0  FALSE); 

284  $(chls  assertion  specifies  the  Initial  tdl  state  of  a  forked  child) 

285  'TIIinfo(child)  ■  Tllinf o(parent ) : 

286  SCthis  assertion  specifies  the  Initial  til  state  of  a  forked  child) 

287  EFFECTSjOF  FMIforkSupport (parent ,  child);  $(provlde  and  copy  pofv) 

288  EFFECTS  OF  PVPforkSupport ( parent ,  child):  $(provlde  virtual  memory) 

289 

290  $( - support  for  X  Invoke - - - ) 

291 

292  OFUN  PR01nvoke(seld  pSeld,  inetSeid;  segDes  arg); 

293  DEFINITIONS 

294  processStateType  p  IS  PSTprocessState(pSeid) ; 

295  tiiStruct  pt  IS  Tllinf o(pSeid) ; 

296  EXCEPTIONS 

297  EXCEPTIONS  OF  PVPinvokeSupport(pSeid,  ImmSeid,  arg); 

298  ASSERTIONS 

299  processExists(pSeld) : 

300  EFFECTS 

301  'PSTprocessState(pSeid)  *  STRUCT(p.self ,  p. parent,  p. family, 

302  p.realUser,  p.realGroup,  newPc,  newPs , 

303  p.pll,  emptyPlv,  emptylpcq,  p.advPrlo,  0,  0.  0,  FALSE): 

304  $(assertion  defines  the  initial  process  state  of  the  invoked  intermed.) 

305  'TIIinfo(pSeid)  ■  STRUCT(pt .nd,  pt.da,  pt. owner,  pt. group, 

306  Tllinf  o(in*nSeid).priv); 

307  $(thls  Is  how  the  post-lnvoke  process  gets  the  lntermeds  privileges) 

308  EFFECTS  OF  PVPlnvokeSupport(pSeid,  ImmSeid,  arg);  $(redo  virtual  memory) 

309 

310  $( - support  for  K  spawn - ) 

311 

312  0VFUN  PROspawn(seid  parent,  imaSeid;  segDes  arg)  ->  seid  child; 

313  DEFINITIONS 

314  processStateType  p  IS  PSTprocessState(parent) ; 

315  tiiStruct  pt  IS  Tllinf o(parent) ; 

316  seid  c  IS  newProcessSeld; 

317  EXCEPTIONS 

318  KEproTooManyProcesses :  processCount+l  >  PROmaxProcessCount : 

319  EXCEPTIONS  OF  PVPspawnSupport (parent ,  c,  inmSeid.  arg); 

320  EXCEPTIONS J0F  FCAcreateOpenTable( parent) : 

321  ASSERTIONS 

322  processExlsts(parent) ; 

323  EFFECTS 

324  child  ■  c; 

325  'PSTprocessSlot(emptySlot )  ■  child; 

326  'PSTprocessState(chi Id)  ■  STRUCT (pa re nt ,  child,  p. family, 

327  p.realUser.  p.realGroup,  newPc,  newPs,  PROmaxPlLevel, 

328  emptyPlv.  emptylpcq,  p.advPrlo,  0,  0,  0,  FALSE); 

329  $(the  process  state  of  the  newly  spawned  Intermediary) 

330  'TIIinfo(chi Id )  ■  STRUCT(pt .nd,  pt.da,  pt. owner,  pt. group, 

331  TIIinfo(immSeid).pri v); 

332  $(post-spawn  child  acquires  lntermedlatarys  privileges) 

333  EFFECTS  OF  PVPspawnSupport ( pare nt ,  child,  ImmSeid,  arg):  $(create  vm) 

334  EFFECTS  OF  FCAcreateOpenTable(child);  $(create  pofv) 

335 


) 


—  support  for  K  release  process 
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337 

338  OFUN  PROreleaseProcess(seld  pSeid,  rSeid): 

339  $(Typlcally  a  process  will  release  Itself  and  pSeld*rSeld.  However  this 

340  Is  not  treated  as  a  special  case.) 

341  EXCEPTIONS 

342  KEproNoRelease:  NOT  processExist s(rSeld) 

343  OR  NOT  (Tlllnfo(rSeld). owner  ■  Tlllnfo(pSeld). owner 

344  OR  prlvSetSegProc Level  INSET  Tlllnfo(pSeld).prlv) 

345  ASSERTIONS 

346  processExl st  s ( pSel d ) ; 

347  EFFECTS 

348  'PSTprocessSlot (SOME  INTEGER  1  I  PSTprocessSlot(i)  -  rSeid)  -  ?; 

349  /PSTprocessState(rSeld)  ■  ?; 

350  'TIIlnfo(rSeid)  -  ?: 

351  EFFECTS  OF  FMIreleaseSupport(rSeid); 

352  EFFECTS  OF  PVPreleaseProcessSupport(rSeld); 

353 

354  $( - - — - status  getting  and  setting - — — ) 

355 

356  VFUN  PROgetProcessStatus(seld  pSeid,  oSeld)  ->  processStateType  ps; 

357  EXCEPTIONS 

358  KEproNoProcess :  NOT  processExlsts(oSeld) 

359  OR  NOT  SMXf low(pSeld ,  oSeld,  {daRead}); 

360  ASSERTIONS 

361  proc 'ssExlsts(pSeld); 

362  DERIVATION 

363  PSTprocessState(oSeld) ; 

364 

365  OFUN  PR0setProces8Status(seld  pSeid,  oSeld;  processStateType  n): 

366  DEFINITIONS 

367  processStateType  o  IS  PSTprocessState(oSeld) ; 

368  EXCEPTIONS 

369  KEproNoProcess :  NOT  processExlsta (oSeld) 

370  OR  NOT  SMXf low( pSeid,  oSeld,  {daWrite}); 

371  ASSERTIONS 

372  proces8Exl8ts(pSeld); 

373  EFFECTS 

374  'PSTprocessState(oSeld)  “  STRUCT(o. self ,  o. parent,  n. family, 

375  n.realUser,  n.realGroup.  n.pc,  n.ps,  n.pli.  n.plv,  n.lpcq, 

376  n.advPrlo,  n.tlmerAlarm,  o. supervlsorTlmlng,  o.userTlmlng, 

377  n.tlmTog); 

378 

379 

380  END  MODULE 
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1  $("  MODULE'  pvm. specs  (version  2.37) 

CONTENTS:  Virtual  Memory 

TYPE:  SPECIAL. specifications 

LAST  CHANGED-  10/12/79.  10 '30 -48 


MODULE  pvm 

$(  this  module  now  contains  the  contents  of  what  was  the  seg  and  pvm  modules) 
TYPES 

$(FROM  mac) 

vAddrType-  (0  ..  MACmaxVAddr } ; 

$(FR0M  smx) 

da Type:  SET  OF  daMode; 

modeStruct:  STRUCT  OF (daType  ownerMode.  groupMode,  allMode): 
nonDisType:  STRUCT  OF ( 

INTEGER  securltyLevel :  SETOF  securltyCat  securltyCatS : 

INTEGER  IntegrltyLevel :  SET_0F  integrityCat  IntegrltyCatS); 
tllStruct:  STRUCT  OF( nonDisType  nd ; 

modeStruct  da;  INTEGER  owner,  group:  SETOF  privType  priv); 

$(from  pvm  —  exportable) 
segDes:  DESIGNATOR: 
spaceType:  (ISpace,  dSpace}: 
direction:  {up,  down}; 

$(f rom  pvm  —  redeclarable) 
virtualLocation: 

STRUCT  OF(domalnType  domain;  spaceType  IdSpace;  vAddrType  vAddr); 
pBlock:  STRUCT  OF (virtualLocation  vloc;  INTEGER  size); 
globalData: 

STRUCT  OF(BOOLEAN  sharable,  swappable,  sticky,  memAdvlse,  executable; 
direction  growth); 
statusStruct: 

STRUCT  OF(globalData  gl;  INTEGER  size); 

InstanceStruct : 

STRUCT_0F ( gl oba 1 Dat a  gl;  INTEGER  refCount;  VECTOR  OF  INTEGER  data): 
useStruct:  STRUCT _OF(seid  Instance;  virtualLocation  vloc;  daType  da); 

PARAMETERS 
$(from  seg) 

seld  exampleSegmentSeld;  $(used  for  segment  creation) 
segDes  SEGnullSeg;  $(  indicates  null  segment  designator) 

INTEGER  PVMmaxSegDes ;  $(maxinum  number  of  segment  designators  in  an  address 

space ) 


DEFINITIONS 


$(from  seg) 
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57 

58 

59 
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105 
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108 

109 

110 
111 
112 


INTECER  SECsize(seid  segSeid)  IS  LENGTH(SEGinstanceInfo(segSeld).data) : 

$(from  pvm) 

INTECER  nSegs(seid  pSeld) 

IS  CARDINALITY( {segDes  sd  I  SEGuselnf o(pSeid,  sd)  ?})• 

BOOLEAN  PVMvmExists(seid  pSeld)  IS  PVMsegmentSet(pSeid)  ?: 

segDes  PVMblockToSeg(seld  pSeld;  pBlock  block)  IS 
SOME  segDes  sd 

I  sd  INSET  PVMmapped Segment Set (pSeld) 

AND  (EXISTS  useStruct  use  -  SEGuselnf o(pSeld,  sd) 

:  use. vloc. domain  »  block. vloc. domain 
AND  use. vloc. IdSpace  “  block. vloc. IdSpace 
AND  use. vloc. vAddr  <■  block. vloc. vAddr 
AND  block. vloc. vAddr  +  block. size 

<■  use. vloc. vAddr  +  SEGslze(use. Instance)): 

$(  gives  the  segment  designator.  If  any,  that  totally  contains  block  in 
address  space  designated  by  pSeld;  If  there  Is  none,  returns  ?;  the 
segment  oust  be  mapped) 

SET  OF  INTECER  addrRegRange( INTEGER  vAddr,  size;  direction  d)  IS 
IF  d  -  up 

THEN  {vAddr  /  MACmaxOff set  ..  (vAddr  +  size  -  1)  /  MACmaxOff set } 

ELSE  {(vAddr  -  size  +  1)  /  MACmaxOffset  ..  vAddr  /  MACmaxOff set } : 

$(  gives  the  range  of  address  registers  used  by  a  segment  as  a  function  of 
its  start  address,  size,  and  growth  direction) 

SET  OF  INTEGER  addrRegRangeSeg(seid  pSeld;  segDes  s)  IS 
LET  useStruct  use  *  SEGuselnf o(pSeld,  s) 

IN  addrRegRange(use. vloc. vAddr,  SEGsize(use. instance ) , 

SEGi nstancelnf o (use . Instance ) . gl . growth ) ; 

$(  gives  the  range  of  address  registers  used  by  a  segment  as  a  function  of 
the  process  Id  and  the  segment  designator) 

BOOLEAN  noHole(seld  pSeld;  INTEGER  size;  virtual Location  vl ;  direction  d: 

SET  OF  segDes  ssd)  IS 

NOT  addrRegRange( vl. vAddr ,  size,  d)  SUBSET  {0  ..  KACmaxReg} 

OR  (EXISTS  segDes  s  I  s  INSET  ssd;  useStruct  use  ■  SEGuselnf o(pSeld,  s) 

:  use. vloc. IdSpace  *  vl. IdSpace 

AND  use. vloc. domain  ■  vl. domain 
AND  addrRegRangeSeg(pSeld,  s) 

INTER  addrRegRange( vl. vAddr,  size,  d)  *"•  {}): 

$(TRUE  Iff  a  segment  described  by  size,  vl,  and  direction  will  NOT  fit  Into 
a  hole  In  the  address  space  designated  by  pSeld  and  ssd;  this  Includes 
testing  for  virtual  memory  underflow  and  overflow) 

EXTERNALREFS 

FROM  mac: 

INTEGER  MACmaxVAddr ,  MACmaxOffset,  MACmaxReg; 

FROM  smx: 
seid:  DESIGNATOR; 

secureEntltyType:  {tFlle,  tDevlce.  tTerminal.  tProcess,  t Segment ,  tSubtype. 
tExtent .  tNull } ; 
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113  prlvType-  {pri vFileUpdateStatus ,  privLink,  privLockSeg, 

114  pri vModlfyPri v  privMount. 

115  pri vSetFileLevel .  pri vSetSegProcLe vel . 

116  pri vStickySeg .  pri vTerminalLock. 

117  pri vViolSimpSecurity.  pri vViolStarSecurity, 

118  pri vViolSimpIntegrity.  pri vViolStarlntegrity. 

119  pri vViolDiscrAccess ,  privSignal,  privWalkPTable , 

120  privHalt,  pri vKernelCall .  pri vViolCompartments , 

121  pri vRealizeExecPermlsslons } : 

122  daMode :  {daRead,  daUrlce.  daExecute}; 

123  securityCat-  DESIGNATOR; 

124  integrityCat:  DESIGNATOR: 

125  domai  nType :  {userDomain.  su  per  visor  Domai  n}; 

126  VFUN  SENseidNsp(seid  s)  ->  INTEGER  nsp; 

127  VFUN  SENseidType(seid  s)  ->  secureEntityType  set; 

128  VFUN  TIIlnfo(seid  anySeid)  ->  tiiStruct  tiiSt; 

129  VFUN  TIIgetEntityLevel (seid  pSeid.  oSeid)  ->  tiiStruct  otii; 

130  OFUN  Til set EntityLe vel (seid  pSeid,  oSeid;  tiiStruct  ntii): 

131  VFUN  SMXhasPri v(seid  pSeid;  prlvType  priv)  ->  BOOLEAN  b: 

132  VFUN  SMXflow(seid  pSeid,  oSeid;  daType  da)  ->  BOOLEAN  b; 

133  VFUN  SMXdap(seid  pSeid,  oSeid:  daType  da)  ->  BOOLEAN  b; 

134 

135 

136  ASSERTIONS 

137 

138  $(from  seg) 

139  PVMmaxSegDes  >*■  2; 

140  $(  basic  relations  among  the  SEG  parameters) 

141  SENseidType(exampleSegmentSeid)  ■  tSegment; 

142  $(  basic  property  of  exampleSegmentSeid  and  all  segment  seids) 

143  FORALL  seid  s  1  SEGlnstancelnfo(s)  "■  ? 

144  ;  SENseidNsp(s)  -  SENseidNsp(exampleSegmentSeid) ; 

145  $(all  seids  for  existing  segments  have  a  distlnbuished  nsp  component) 

146  FORALL  seid  s  I  SEGinstancelnfo(s)  “*  ?  :  Tllinfo(s)  “•  ?; 

147  $(all  existing  segments  have  an  exiting  TII  entry) 

148  FORALL  seid  pSeid;  segDes  segd  I  SEGuseInfo( pSeid,  segd)  ? 

149  :  SEGinstanceInfo(SEGuseInfo(pSeid,  segd). Instance)  “■  ?; 

150  $(all  valid  segment  uses  have  corresponding  valid  segment  instances) 

151  FORALL  seid  s  I  SEGinstancelnfo(s)  ? 

152  :  LET  modeStruct  ms  ■  Tllinfo(s) .da 

153  IN  (daWrite  INSET  ms.ownerMode  ■>  daRead  INSET  ms . ownerMode ) 

154  AND  (daWrite  INSET  ms.groupMode  ■>  daRead  INSET  ms.groupMode) 

155  AND  (daWrite  INSET  ms.allMode  ->  daRead  INSET  ms.allMode); 

156  $(write  access  implies  read  access,  because  the  hardware  does  not  support 

157  write-only  access  for  segments) 

158  FORALL  seid  pSeid;  segDes  sd  |  SEGuselnf o(pSeid ,  sd)  ? 

159  ;  daWrite  INSET  SEGuseInfo(pSeid,  sd).da 

160  ■>  daRead  INSET  SEGuseInfo(pSeid,  sd).da; 

161  $(same  constraint  as  above,  for  segment  use  information) 

162 

163  $(from  pvm) 

164  FORALL  seid  pSeid  |  PVMvtnExlsts(pSeld);  segDes  sd 

165  :  (sd  INSET  PVMsegmentSet(pSeid))  ■  ( SEGuselnf o(pSeid,  sd)  ?); 

166  $(def ines  what  it  means  for  a  segment  to  be  in  the  segment  set  of  a 

167  process) 

168  FORALL  seid  pSeid  |  PVMvmExlsts(pSeld) 
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169  •  PVMmappedSegmentSet (pSeid)  SUBSET  PVMsegmentSet(pSeid) : 

170  $(only  existing  segments  can  be  mapped) 

171  FORALL  seid  pSeld  |  PVMvmExlsts(pSeld ) :  segDes  si,  s2 

172  :  LET  useStruct  usel  *  SEGuseInfo(pSei d.  si); 

173  useStruct  use2  *  SEGuseInfo(pSeld,  s2) 

174  IN  si  s2  AND  usel  “■  ?  AND  use2  ? 

175  AND  {si.  s 2 }  SUBSET  PVMmappedSegmentSet (pSeld) 

176  AND  usel- vloc. domain  *  use2. vloc. domain 

177  AND  usel. vloc. IdSpace  ■  use2. vloc.ldSpace 

178  ->  addrRegRangeSeg(pSeld,  si)  INTER  addrRegRangeSeg(pSeid,  s2)  »  {}; 

179  $(no  two  mapped  segments  In  the  same  domain  and  IdSpace  may  have 

180  overlapping  memory  address  registers) 

181 
182 

183  FUNCTIONS 

184 

185  $( - state  functions - - — - - - ) 

186 

187  VFUN  SEGlnstance Info (seid  segSeld)  ->  instanceStruct  is;  $(SEGinstanceInfo) 

188  $(  gives  all  the  information  pertaining  to  a  segment's  global  data. 

189  referred  to  as  segment  instance  data) 

190  HIDDEN; 

191  INITIALLY  is  -  ?: 

192 

193  VFUN  SEGuseInfo(seid  pSeid;  segDes  segd)  ->  useStruct  us;  $(SEGuseInfo ) 

194  $(  gives  all  the  information  pertaining  to  a  segment's  use  In  the  address 

195  space  in  a  particular  process;  this  is  information  local  to  a  process) 

196  HIDDEN; 

197  INITIALLY  us  -  ? ; 

198 

199  VFUN  PVMsegmentSet(seid  pSeid)  ->  SET  OF  segDes  segSet ;  $(PVMsegmentSet ) 

200  $(  gives  the  set  of  segments  possessed  by  a  given  process) 

201  INITIALLY  segSet  -  ?; 

202 

203  VFUN  PVMmappedSegmentSet (seid  pSeid)  ->  SET_0F  segDes  mappedSet; 

204  $ (PVMmappedSegmentSet ) 

205  $(  gives  the  set  of  mapped  —  or  active  segments  —  of  a  process;  a 

206  segment  cannot  be  addressed  unless  it  is  mapped) 

207  HIDDEN; 

208  INITIALLY  mappedSet  -  ?; 

209 

210  $( - — - virtual  memory  management  — — - - - ) 

211 

212  OFUN  PVMcreateVM(sei d  pSeid);  S(PVMcreateVM) 

213  $(  creates  a  new  virtual  memory  to  be  identified  by  "pSeid";  this  VM 

214  must  not  currently  exist) 

215  ASSERTIONS 

216  NOT  PVMvmExists(pSeid) ; 

217  EFFECTS 

218  'PVMsegmentSet(pSeid)  -  {}; 

219  'PVMmappedSegmentSet (pSeid)  -  {}; 

220 

221  OFUN  PVMdeleteVM(seid  pSeid);  S(PVMdeleteVM) 

222  $(  deletes  the  currently  existing  virtual  memory  "pSeld") 

223  ASSERTIONS 

224  PVMvmExists( pSeid) ; 
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225  EFFECTS 

226  'PVMsegmentSet(pSeid)  •  ?; 

227  'PVMmappedSegmentSet(pSeid)  “  ?; 

228 

229  S( -  basic  segment  management  - - - ) 

230 

231  OFUN  PVMstoreCseld  pSeld:  pBlock  block:  VECTOR  OF  INTEGER  vec);  $(PVMstore) 

232  $(lnserts  contents  of  vec  Into  the  mapped  segment  indicated  by  block) 

233  DEFINITIONS 

234  segDes  targ  IS  PVMblockToSeg(pSeld .  block); 

235  useStruct  use  IS  SEGuseInfo(pSeld.  targ); 

236  InstanceStruct  Inst  IS  SEGlnstanceInfo(use. Instance): 

237  EXCEPTIONS 

238  KEpvmVecTooLong :  LENCTH(vec)  block. size; 

239  KEpvmNoSuchSeg :  targ  “  ?; 

240  $(there  is  a  single  segment  in  the  address  space  of  "pSeid"  in  which 

241  "pBlock"  fits,  having  the  same  domain  and  idSpace  of  pBlock) 

242  KEpvmNotWritable :  NOT  SMXdapCpSeid.  use. instance,  {daWrite}): 

243  ASSERTIONS 

244  PVMvmExists(pSeid) ; 

245  EFFECTS 

246  LET  INTEGER  relOffset  -  block. vloc. vAddr  -  use. vloc.vAddr 

247  IN  'SEGinstanceInfo(use. instance)  “ 

248  STRUCT (i ns t .gl .  i ns t . ref Count , 

249  VECTOR ( 

250  FOR  i  FROM  1  TO  LENGTH(inst.data) 

251  ;  IF  i  INSET  {relOffset  +  1  ..  relOffset  +  LENGTH ( vec ) } 

252  THEN  vec(i  -  relOffset] 

253  ELSE  inst.data{i ])) : 

254 

255  VFUN  PVMretrieve(seid  pSeid:  pBlock  block)  ->  VECTOR  OF  INTEGER  vec: 

256  $(  retreives  data  from  a  mapped  segment  as  specified  by  pBlock) 

257  DEFINITIONS 

258  segDes  targ  IS  PVMblockToSegCpSeld,  block); 

259  useStruct  use  IS  SEGuselnfoCpSeld ,  targ); 

260  InstanceStruct  inst  IS  SEGinstanceInfo(use. instance); 

261  EXCEPTIONS 

262  KEpvmNoSuchSeg:  targ  *  ?: 

263  $(there  is  a  single  segment  in  the  address  space  of  "pSeid"  in  which 

264  "pBlock"  fits,  having  the  same  domain  and  idSpace  of  pBlock) 

265  KEovmNotReadable :  NOT  SMXf low(pSei d,  use . instance ,  {daRead}): 

266  ASSERTIONS 

267  PVMvmExists(pSeid) ; 

268  DERIVATION 

269  VECT0RCF0R  i  FROM  1  TO  block. size: 

270  lnst.data(block. vloc. vAddr  -  use. vloc. vAddr  +  i  -  1]); 

271 

272  0VFUN  PVMbui ld(seld  pSeid;  statusStruct  st;  modeStruct  ms;  INTEGER  size: 

273  virtualLocation  vl) 

274  ->  STRUCT  OF (se id  segSeid;  segDes  segd)  result;  $(PVMbuild) 

275  $(  builds  a  new  segment  with  the  specified  parameters: 

276  an  entry  in  the  til  table  is  also  created  for  the  segment; 

277  the  results  are  the  --  previously  unused  —  seld  for  the  new  segment  and 

278  the  —  previously  unused  —  segment  designator:  the  newly  created 

279  segment  is  mapped,  indicating  that  it  can  be  addressed  immediately; 

280  discretionary  access  that  the  process  allows  itself  to  the  segment,  "da" 
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281  mist  be  a  subset  of  the  owner  access  specified  in  the  tii  information 

282  "ms"  the  new  segment  must  be  within  the  size  limitations  and  fit  into 

283  the  mapped  virtual  memory  space  of  the  creating  process) 

284  DEFINITIONS 

285  tiiStruct  proTii  IS  Tllinf u(pSeid) ; 

286  tiiStruct  segTii 

287  IS  STRUCT(proTii . nd,  ms,  proTii .owner,  proTii .group,  proTii .priv): 

288  seid  newSegSeid 

289  IS  SOME  seid  s  I  SENseidNsp(s )  ■  SENsei dNsp(exampleSegmentSeid ) 

290  AND  SECinstancelnfo(s)  *  ?: 

291  EXCEPTIONS 

292  KEsegSticky :  st.gl. sticky  AND  NOT  SMXhasPri v(pSeid,  pri vStickySeg); 

293  KEsegSwappable : 

294  NOT  st .gl. swappable  AND  NOT  SMXhasPri v(pSeid,  pri vLockSeg) ; 

295  KEsegBadMode : 

296  (daWrite  INSET  ms.ownerMode  AND  NOT  daRead  INSET  ms.ownerMode) 

297  OR  (daWrite  INSET  ms.groupMode  AND  NOT  daRead  INSET  ms.groupMode) 

298  OR  (daWrite  INSET  ms.allMode  AND  NOT  daRead  INSET  ms.allMode): 

299  KEsegBadSize:  NOT  size  INSET  {0  ..  MACmaxVAddr  -  1}; 

300  KEpvmNoHole : 

301  noHole(pSeid .  st.size,  vl,  st . gl . growth ,  PVMmappedSegmentSet (pSeid ) ) : 

302  KEpvmNoDes:  nSegs (pSeid)  >“  PVMmaxSegDes ; 

303  RESOURCE  ERROR;  $(  ran  out  of  table  space  or  seid  space) 

304  ASSERTIONS 

305  PVMvmExists(pSeid) ; 

306  EFFECTS 

307  'TlIinfo(newSegSeid)  <■  segTii; 

308  'SEGinstancelnf o(newSegSeid)  ■ 

309  STRUCTCst.gl,  1, 

310  VECT0R(F0R  i  FROM  1  TO  size  :  0)); 

311  EXISTS  segDes  sd  |  SEGuseInfo(pSeid,  sd). instance  -  ? 

312  :  'SEGuseInfo(pSeid,  sd)  *  STRUCT( newSegSeid,  vl ,  ms.ownerMode) 

313  AND  result  ■  STRUCT ( newSegSeid ,  sd) 

314  AND  'PVMsegmentSet (pSeid)  ■  PVMsegmentSet(pSeid)  UNION  {sd} 

315  AND  'PVMmappedSegmentSet (pSeid) 

316  »  PVMmappedSegmentSet(pSeid)  UNION  {sd}: 

317 

318  0FUN  PVMdestroy(seid  pSeid;  segDes  segd);  S(PVMdestroy) 

319  $(destroys  the  segment  use  indicated  by  pSeid  and  segd:  if  the  segment  is 

320  unsticky  and  otherwise  unreferenced,  the  segment  Instance  information  is 

321  also  deleted) 

322  DEFINITIONS 

323  useStruct  use  IS  SEGuseInfo(pSeid,  segd); 

324  seid  segSeid  IS  use . instance ; 

325  instanceStruct  inst  IS  SEGinstancelnf o(segSeid) ; 

326  EXCEPTIONS 

327  KEsegNotHeld :  NOT  segd  INSET  PVMsegmentSet (pSeid): 

328  ASSERTIONS 

329  PVMvmExists(pSeid): 

330  EFFECTS 

331  'PVMsegmentSet(pSeid)  “  PVMsegmentSet (pSeid)  DIFF  {segd}; 

332  'PVMmappedSegmentSet (pSeid)  ■  PVMmappedSegmentSet (pSeid)  DIFF  {segd}: 

333  'SEGuseInfo(pSeid ,  segd)  “  ?; 

334  IF  (inst.refCount  ■  1  AND  inst • gl . sticky  ■  FALSE) 

335  THEN  'SEGinstancelnfo(segSeid)  -  7 

336  AND  'Tllinf o( segSeid)  -  ? 
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337  ELSE  'SEGinstancelnfo(segSeid)  ■ 

338  STRUCT(inst .gl ,  inst . refCount  -  1,  Inst. data); 

339 

340  $( - high  level  storage  allocation - ) 

341 

342  OFUN  PVMremap(seld  pSeld:  segDes  In;  vlrtualLocatlon  vl ;  daType  da; 

343  BOOLEAN  vlFlg.  daFlg;  segDes  out;  INTEGER  newSlze; 

344  BOOLEAN  nsFlg);  $(PVMremap) 

345  $(  this  function  takes  the  currently  mapped  segment  "out"  and  maps  It  out, 

346  while  simultaneously  mapping  In  the  currently  unmapped  segment  "in"; 

347  this  function  can  be  used  for  mapping  In  —  without  mapping  out  —  by 

348  letting  "out”  be  the  distinguished  value  SEGnullSeg;  similarly,  mapping 

349  out  alone  can  be  done  by  letting  "in"  be  SECnullSeg;  a  mapped  In  segment 

350  can  have  a  new  virtual  location  and  a  discretionary  access  specified 

351  optionally;  a  mapped  out  segment  can  have  Its  size  optionally  changed; 

352  all  these  optional  changes  are  specified  by  the  values  of  BOOLEAN  flags; 

353  the  idSpace  of  the  mapped  In  segment  may  not  be  changed;  the  mapped  in 

354  segment  nust  occupy  a  hole  In  the  virtual  memory) 

355  DEFINITIONS 

356  SET  OF  segDes  InSet  IS  IF  in  -  SEGnullSeg  THEN  {}  ELSE  {in}; 

357  SET  OF  segDes  outSet  IS  IF  out  -  SEGnullSeg  THEN  {}  ELSE  {out}; 

358  useStruct  InUse  IS  SEGuselnfoCpSeld,  In); 

359  InstanceStruct  lnlnst  IS  SEGinstanceInfo(inUse. instance); 

360  useStruct  outUse  IS  SEGuseInfo(pSeid,  out); 

361  seid  outSeld  IS  outUse . instance ; 

362  InstanceStruct  outlnst  IS  SEGlnstancelnfoCoutSeld ) ; 

363  EXCEPTIONS 

364  KEpvmBadSeg;  NOT  InSet  SUBSET  PVMsegmentSet(pSeid); 

365  KEpvmRemapl ;  NOT  ouiSes  SUBSET  PVMmappedSegmentSet(pSeid) : 

366  KEpvmRemap2  EXISTS  r.rsgDes  sd  INSET  InSet 

367  :  sd  INSET  PVy.mappedSegmentSet(pSeid); 

368  KEpvmWriteOnlv.  daFlg  AND  daWrlte  INSET  da  AND  NOT  daRead  INSET  da; 

369  KEpvmSpace-  vlFlg  Ato)  vl. IdSpace  “■  InUse. vloc. IdSpace: 

370  KEpvmSharable • 

371  nsFlg  AND  newSlze  SEGsize( inUse. instance)  AND  lnlnst .gl. sharable : 

372  KEpvmBadDa:  daFlg  AND  NOT  SMXdap(pSeld,  outSeld,  da): 

373  KEpvmNoHole : 

374  In  SEGnullSeg 

375  AND  noHoleCpSeid.  SEGslzeOnUse. instance), 

376  IF  vlFlg  THEN  vl  ELSE  InUse. vloc,  lnlnst .gl. growth , 

377  PVMmappedSegmentSet(pSeid)  DIFF  outSet). 

378  ASSERTIONS 

379  PVMvmExists(pSeid) ; 

380  EFFECTS 

381  'PVMmappedSegmentSet(pSeid)  ■  (PVMmappedSegmentSet(pSeld)  DIFF  outSet) 

382  UNION  InSet ; 

383  'SEGuselnfofpSeid ,  in) 

384  -  STRUCT (inUse. instance,  IF  vlFlg  THEN  vl  ELSE  inUse. vloc, 

385  IF  daFlg  THEN  da  ELSE  inUse. da); 

386  'SEGinstancelnfo(outSeid) 

387  *  STRUCT(outIn8t . gl ,  outlnst . refCount , 

388  VECTOR (FOR  1  FROM  1 

389  TO  (IF  nsFlg  THEN  newSlze  ELSE  SEGsize(outSeid)) 

390  •  IF  1  O  SEGslze(outSeid) 

391  THEN  outlnst. data {!]  ELSE  0)); 

392 
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393  $( - - - — - segment  sharing  - - — - — - - - - ) 

394 

395  OVFUN  PVMrendezvousCseid  pSeid,  segSeld;  virtualLocatlon  vl;  daType  da) 

396  ->  segDes  sd;  $(PVMrendezvous) 

397  $(  creates  a  use  for  the  segment  named  by  segSeld;  this  segment  appears 

398  Inaccessible  If  Che  multilevel  security  model  would  consider  It  a 

399  violation  of  Information  flow) 

400  DEFINITIONS 

401  InstanceStruct  Inst  IS  SEGlnstancelnfo(segSeld); 

402  EXCEPTIONS 

403  KEpvmWriteOnly:  daWrite  INSET  da  AND  NOT  daRead  INSET  da; 

404  KEsegBadName:  Inst  *  ?  OR  NOT  SMXf low(pSeid,  segSeld,  da); 

405  KEpvmNoDa:  NOT  SMXdap(pSeld ,  segSeld,  da); 

406  KEpvmDupSeg:  EXISTS  segDes  sdl 

407  ;  SEGuselnfoCpSeld,  sdl) .Instance  ■  segSeld; 

408  KEpvmNoHole :  noHole (pSeid ,  SEGsize(segSeid ) .  vl,  1 ns t.gl. growth, 

409  PVMmappedSegmentSet (pSeid)); 

410  KEpvmNoDes:  nSegs(pSeld)  >-  PVMmaxSegDes ; 

411  ASSERTIONS 

412  PVMvmExists(pSeld); 

413  EFFECTS 

414  LET  segDes  segd  I  SEGuBelnf o(pSeld,  segd)  “  ? 

415  IN  'SEGuseInfo(pSeld,  segd)  -  STRUCT(segSeid,  vl,  da) 

416  AND  'SEClnstancelnfo(segSeid)  ■ 

417  STRUCT (1 ns t. gl ,  Inst . ref Count  +  1,  Inst. data) 

418  AND  'PVMsegmentSet (pSeid)  «  PVMsegmentSet(pSeld)  UNION  {segd} 

419  AND  'PVMmappedSegmentSet (pSeid) 

420  -  PvfMmappedSegmentSet(pSeid)  UNION  {segd} 

421  AND  sd  »  segd; 


423  0FUN  PVMcopySeg(seid  fromSeld,  toSeld;  segDes  sd); 


S(PVMcopySeg) 


$(  copies  a  segment  from  the  virtual  memory  "fromSeld"  to  the  virtual 
memory  "toSeld";  both  virtual  memories  must  exist;  the  segment 
designator  sd  oust  exist  In  "fromSeld"  but  not  In  "toSeld”;  used  by 
the  module  chat  sets  up  virtual  memories  for  new  processes) 
DEFINITIONS 

useStruct  use  IS  SEGuaeInfo(f romSeid,  sd); 
seld  oldSeld  IS  use. Instance; 

InstanceStruct  Inst  IS  SEGlnstancelnfo(oldSeld); 
seld  newSeld 

IS  SOME  seld  s  I  SENseldNsp(s)  *  SENseldNsp(exampleSegmentSeid) 

AND  SEGlnstancelnfo(s)  ■  ?; 
tilStruct  stll  IS  Tlllnfo(oldSeid); 
tliStruct  ptli  IS  Tlllnfo(toSeid); 

ASSERTIONS 

PVMvmExlsts(fromSeld) ; 

PVMvmExlsts(toSeid) ; 

sd  INSET  PVMsegmentSet(fromSeid); 

NOT  sd  INSET  PVMsegmentSet ( toSei d) ; 

EFFECTS 

'SEClnstancelnfo(newSeld)  *  STRUCK  Inst .gl ,  1,  Inst. data); 
'SEGuselnfoCtoSeld.  sd)  ■  STRUCT(newSeld,  use.vloc,  use. da); 

'Tllinf o(newSeld)  ■  STRUCT(stli.nd,  stll. da,  ptll. owner,  pt 11. group, 

stil.prlv); 


447  'PVMsegmentSet(toSeld)  -  PVMsegmentSet (toSeld)  UNION  {sd}; 

448  sd  INSET  PVMmappedSegmentSet(fromSeld)  ■> 
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449  'PVMmappedSegmentSet(toSeid)  -  PVMmappedSegmentSet(toSeid)  UNION  {sd}: 

450 

451  $( - — - segment  status  manipulation - - - — ) 

452 

453  VFUN  PVMgetSegmentStatus(seld  pSeld,  segSeld)  ->  statusStruct  ss; 

454  $(PVMgetSegmentStatus) 

455  $(  returns  the  status  Information  —  which  is  much  of  the  global 

456  information  —  for  the  segment:  the  segment  mist  exist  in  the  segment 

457  set  of  the  requesting  process) 

458  EXCEPTIONS 

459  KEnoSeg-  SEGlnstancelnfo(segSeld)  ■  ? 

460  OR  NOT  SMXf low(pSeld,  segSeld,  {daRead}); 

461  ASSERTIONS 

462  PVMvmExists(pSeid) ; 

463  DERIVATION 

464  STRUCT(SEClnstanceInfo(segSeld).gl.  SEGsize(segSeld)); 

465 

466  OFUN  PVMsetSegmentStatus(seid  pSeld,  segSeld:  globalData  glo): 

467  $(PVMsetSegmentStatus ) 

468  $(  changes  the  status  information  for  the  segment;  certain  privileges 

469  are  required;) 

470  DEFINITIONS 

471  InstanceStruct  1  IS  SEGlnstancelnfo(segSeld) ; 

472  EXCEPTIONS 

473  KEpvmNoSeg:  i  **  ?  OR  NOT  SMXflow(pSeld.  segSeld,  {daRead.  daWrite}); 

474  KEpvmfiadDa:  NOT  SMXdap(pSeld,  segSeld,  {daRead,  daWrite}); 

475  KEpvmExecute:  l.gl.sharable; 

476  KEpvmBadGrowth :  glo. growth  “■  i.gl. growth; 

477  KEpvmNoSwap : 

478  glo. swappable  AND  NOT  1 .gl . swappable 

479  AND  NOT  SMXhasPri v(pSeid,  privLockSeg); 

480  KEpvmNoStick: 

481  glo. sticky  AND  NOT  i.gl. sticky 

482  AND  NOT  SMXhasPri v(pSeid,  pri vStickySeg); 

483  ASSERTIONS 

434  PVMvmExists(pSeid) ; 

485  EFFECTS 

486  'SEGlnstancelnfo(segSeld)  ■  STRUCT(glo,  l.refCount,  l.data); 

487 
438 

489  END  MODULE 
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$("  MODULE  pvp. specs  (version  2.7) 

CONTENTS:  Virtual  Memory  —  Process  Support 

TYPE: 

LAST  CHANGED:  7/17/79  15  09  51 

") 


MODULE  pvp 

$(  this  module  contains  operations  that  support  the  process  module's  use  of 
the  virtual  memory  mechanism.  This  is  entirely  a  procedure  abstraction. 

It  is  specified  in  terms  of  V-functions  of  other  modules,  but  is 
implemented  by  a  program  in  terms  of  operations  of  other  modules. 

This  sequence  will  be  Included  in  the  comments  for  each  of  the  operations. 
This  module  has  no  state  of  its  own  except  for  parameters  for  immediate 
segments.) 

TYPES 

$(from  mac) 

vAddrType  {0  ..  MACmaxVAddr} , 

$(from  smx) 

nonDisType:  STRUCT  0F( 

INTEGER  securityLevel ;  SET  OF  securityCat  securityCatS : 

INTECER  integrityLevel;  SET  OF  integrity Cat  integrityCatS) : 
daType:  SETOF  daMode; 

modeStruct:  STRUCT  OF (daType  ownerMode,  groupMode,  allMode); 
tiiStruct:  STRUCT  0F( nonDisType  nd; 

modeStruct  da;  INTEGER  owner,  group;  SET  OF  privType  priv); 

$(from  pvm) 
vi  rtualLocat ion: 

STRUCT  0F(domainType  domain;  spaceType  idSpace;  vAddrType  vAddr): 
globalData : 

STRUCT  0F(B00LEAN  sharable,  swappable,  sticky,  memAdvlse.  executable; 
direction  growth); 
instanceStruct : 

STRUCT  0F(globalData  gl ;  INTEGER  refCount;  VECTOR  OF  INTEGER  data): 
useStruct:  STRUCT_OF(seid  instance;  vi rtualLocat ion  vloc;  daType  da); 


PARAMETERS 

vlrtualLocatlon  PVMimmVloc;  $(location  for  immediate  segment) 
segDes  PVMimmDes;  $(designator  for  immediate  text  segment) 
segDes  PVMargDes;  $(designator  for  argument  segment) 
vlrtualLocatlon  PVMargVloc;  $(locatlon  for  argument  segment) 


DEFINITIONS 


$(from  seg) 

INTEGER  SEGsize(seid  segSeid)  IS  LENGTH(SEGlnstanceInfo(segSeld).data); 
$(from  pvm) 
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57  INTEGER  nSegs(seid  pSeld) 

58  IS  CARDINALITY ({segDes  sd  |  SEGuseInfo(pSeid ,  sd)  ?}): 

59 

60  BOOLEAN  PVMvmExists (sel  d  pSeld)  IS  PVMsegmentSet (pSeld)  ?: 

61 

62  SET  OF  INTEGER  add rRegRange( INTEGER  vAddr,  size;  direction  d)  IS 

63  IF  d  -  up 

64  THEN  {vAddr  /  MACmaxOffset  ..  (vAddr  +  size  -  1)  /  MACmaxOf f set } 

65  ELSE  {(vAddr  -  size  +  1)  /  MACmaxOffset  ..  vAddr  /  MACmaxOffset}- 

66  $(  gives  the  range  of  address  registers  used  by  a  segment  as  a  function  of 

67  its  start  address,  size,  and  growth  direction) 

68 

69  SET  OF  INTEGER  addrRegRangeSeg(seid  pSeld;  segDes  s)  IS 

70  LET  useStruct  use  ■  SEGuselnf ofpSeid,  s) 

71  IN  addrRegRange(use . vloc. vAddr ,  SEGslze(use . Instance ) . 

72  SEGlnstancelnfo (use . instance) .gl . growth ) : 

73  $(  gives  the  range  of  address  registers  used  by  a  segment  as  a  function  of 

74  the  process  Id  and  the  segment  designator) 

75 

76  BOOLEAN  noHole(seld  pSeld;  INTEGER  size;  virtualLocation  vl ;  direction  d; 

77  SET  OF  segDes  ssd)  IS 

78  NOT  add rRe gRa nge ( vl . vAddr ,  size,  d)  SUBSET  {0  ..  MACmaxReg} 

79  OR  (EXISTS  segDes  s  I  s  INSET  ssd;  useStruct  use  ■  SEGuseInfo(pSeid ,  s) 

80  :  use. vloc. IdSpace  »  vl.ldSpace 

81  AND  use. vloc. domain  ■  vl. domain 

82  AND  addrRegRangeSeg(pSeld,  s) 

83  INTER  addrRegRange(vl. vAddr,  size,  d)  “■  {}); 

84  $(TRUE  Iff  a  segment  described  by  size,  vl .  and  direction  will  NOT  fit  Into 

85  a  hole  In  the  address  space  designated  by  pSeld  and  ssd:  this  Includes 

86  testing  for  virtual  memory  underflow  and  overflow) 

87 

88  EXTERNALREFS 

89 

90  FROM  mac : 

91  INTEGER  MACmaxVAddr.  MACmaxOffset.  MACmaxReg; 

92 

93  FROM  smx- 

94  seid-  DESIGNATOR; 

95  pr'vType-  {pri vFlleUpdateStatus ,  prlvLlnk,  prlvLockSeg, 

96  prl vModlfyPrl v.  privMount, 

97  privSetFlleLevel,  prl vSetSegProcLevel , 

98  prl vStlckySeg,  prl vTerminalLock. 

99  pri vViolSimpSecurity .  prl vVlolStarSecurity . 

100  prl vVlolSimpIntegrlty,  prl vVlolStarlntegrlty, 

101  prl vVlolDlscrAccess .  prlvSlgnal,  privWalkPTable, 

102  prlvHalt,  prl vKernelCall ,  pri vViolCompartments , 

103  prl vReallzeExecPermlsslons } ; 

104  daMode -  {da Read.  daWrlte,  daExecute}: 

105  securltyCat:  DESIGNATOR: 

106  integrityCat :  DESIGNATOR: 

107  domalnType:  {userDomain.  supervlsorDomain} ; 

108  VFUN  SENseidNsp(seld  s)  ->  INTEGER  nap; 

109  VFUN  TIIlnfo(seid  anySeid)  ->  tliStruct  tllSt; 

110  VFUN  SMXf low(seid  pSeld,  oSeid;  daType  da)  ->  BOOLEAN  b; 

111  VFUN  SMXdap(seid  pSeld,  oSeid;  daType  da)  ->  BOOLEAN  b; 

112 


113  FROM  pvm: 

114  segDes:  DESIGNATOR; 

113  spaceType;  {ISpace,  dSpace}; 

116  direction;  (up,  down}; 

117  seld  exampleSegmentSeid;  $(used  for  segment  creation) 

118  INTEGER  PVMmaxSegDes ; 

119  VFUN  SEClnstanceInfo(seld  segSeld)  ->  instanceStruct  Is; 

120  VFUN  SECuseInfo(seld  pSeld;  segDes  segd)  ->  useStruct  us; 

121  VFUN  PVMsegment Set (seld  pSeld)  ->  SET  OF  segDes  segSet; 

122  VFUN  PVMmappedSegmentSet(seid  pSeld)  **>  SET  OF  segDes  mappedSet ; 

123 

124 

125  ASSERTIONS 

126 

127  PVMlmmVloc .domain  *  supervlsorDomain; 

128  PVMlmmVloc.ldSpace  ■  ISpace; 

129  PVMargVloc. domain  *  supervlsorDomal n; 

130  PVMargVloc. IdSpace  “  dSpace; 

131  $(  constraints  on  parameters) 

132 
113 

134  FUNCTIONS 

135 

136  $( - — - support  for  PSTreleaseProcess - — - - ) 

137 

133  OFUN  PVPreleaseProcessSupport (seld  pSeld); 

139  $(  This  function  supports  PSTreleaseProcess  by  deleting  all  segments  In 

140  the  virtual  memory  named  by  "pSeld"  and  then  deleting  the  virtual  memory 

141  Itself) 

142  ASSERTIONS 

143  PVMvmExists (pSeld) ; 

144  EFFTCTS 

145  FORALL  segDes  sd  |  SECuselnf o(pSeld,  sd)  “■  ? 

146  •  'SEGuseInfo(pSeld .  sd)  ■  ? 

147  AND  (LET  seld  segSeld  -  SEGuseInfo(pSeld,  sd). Instance: 

148  InstanceStruct  Inst 

149  -  SEGinstanceInfo(segSeid ) 

150  IN  IF  Inst.refCount  ■  1  AND  Inst. gl. sticky  ■  FALSE 

151  THEN  'SEGinstancelnfo(segSeid)  •  ? 

152  AND  'Til info (segSeld)  -  ? 

153  ELSE  'SEGinstancelnfo(segSeid) 

154  ■  STRUCT(lnst.gl.  Inst. refCount  -  1.  Inst. data)); 

155  'PVMsegmentSet (pSeld)  ■  ?; 

156  'PVMmappedSegment Set (pSeld)  »  ?; 

157 

158 

159  $(  NOTE  —  There  are  two  special  segments  that  are  appropriate  to  the  Invoke 

160  and  spawn  operations;  the  argument  segment  "arg",  already  in  the  virtual 

161  memory,  which  contains  the  data  to  be  used  by  the  Initialized  process; 

162  and  the  Immediate  segment,  "immSeld".  which  contains  the  code  for  the 

163  process  —  this  code  Is  also  called  the  process  bootstrapper) 

164 

165  S ( - — - — - —  support  for  PSTlnvoke  — - ) 

166 

167  OFUN  PVPlnvokeSupport(seld  pSeld,  ImmSeld;  segDes  arg);  $(PVPlnvokeSupport) 

168  $(  This  function  sets  up  the  virtual  memory  of  a  process  for 
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169  Invocation,  the  new  mapped  sec  contains  all  previously  mapped  supervisor 

170  segments  and  the  argument  and  lonedlate  segments;  the  argument  segment 

171  is  mapped  to  a  different  virtual  location,  and  a  use  Is  created  for  the 

172  the  Immediate  segment) 

173  DEFINITIONS 

174  InstanceStruct  immlnst  IS  SEGlnstancelnfoOmnSeld): 

175  useStruct  argUse  IS  SEGuseInfo(pSeld,  arg): 

176  seld  argSeld  IS  argUse. Instance : 

177  InstanceStruct  arglnst  IS  SEGlnstancelnfo(argSeld) ; 

178  EXCEPTIONS 

179  KEpvmNoArg:  argUse  “  ?. 

130  KEpvmArgSharable :  arglnst .gl . sharable ; 

181  KEpvmArgNotWrl table:  NOT  daWrlte  INSET  argUse. da; 

182  KEpvmBadSeg:  immlnst  ■  ? 

183  OR  NOT  SMXflow(pSeid.  InnSeid,  {daRead})-. 

184  KEpvmBadDa'  NOT  SMXdap(pSeid ,  lmmSeld,  {daExecute } ) , 

185  KEpvmArgOverf low: 

186  NOT  addrRegRange(PVMargVloc. vAddr ,  SEGsize(argSeid),  arglnst. gl. growth) 

187  SUBSET  {0  ..  MACmaxReg}; 

188  KEpvmlmmOverf low: 

189  NO  addrRegRange(PVMimmVloc.  vAddr .  SEGsize(iinnSeid),  1  mmlnst  .gl .growth) 

190  SUBSET  {0  ..  MACmaxReg}; 

191  nSegs(pSeld)  >■  PVMmaxSegDes ; 

192  ASSERTIONS 

193  PVMvmExists(pSeid); 

194  EFFECTS 

195  ’ SEGusel nf o ( pSel d .  PVMargDes) 

196  ■  STRUCT(argUse. Instance,  PVMargVloc,  argUse. da): 

197  $(  create  a  reference  to  the  Immediate  segment) 

198  #SEGuseInfo(pSeid,  PVMimtnDes) 

199  -  STRUCT  (innSeid.  PVMimmVloc,  {daRead,  daExecute}); 

200  'SEClnstancelnfo(immSeld) 

201  »  STRUCT (1  tranlns t  .gl ,  immlnst  .ref Count  +  1.  immlnst. data); 

202  $(  add  Che  Immediate  segment  to  the  address  space) 

203  'PVMsegmentSet(pSeid)  -  PVMsegmentSet(pSeld)  UNION  {PVMimmDes}; 

204  $(  unmap  all  segments  except  supervisor  segments,  the  argument  segment, 

205  and  the  Immediate  segment) 

206  'PVMmappedSegmentSet(pSeld) 

207  -  {PVMargDes,  PVMimmDes} 

208  UNION 

209  {segDes  sd 

210  I  sd  INSET  PVMmappedSegmentSet (pSeld) 

211  AND  SEGuselnfoCpSeld,  sd) . vloc .domain  ■  supervlsorDomaln}: 

212  $(  remap  the  argument  segment) 

213 

214  $( - support  for  P  ST  spawn - ) 

215 

216  0FUN  PVPspawnSupport (seld  parent,  child;  seld  lmmSeld;  segDes  arg); 

217  $( PVPspawnSupport ) 

218  $(creates  a  new  address  space  named  by  child  and  inserts  into  it  two 

219  segment  uses  — - 1  the  argument  segment,  arg,  which  is  copied  from  the  parent 

220  address  space,  but  occupies  a  different  position  —  PVMargDes  — 

221  and  the  immediate  segment,  lmmSeld,  which  is  shared) 

222  DEFINITIONS 

223  InstanceStruct  immlnst  IS  SEGinatancelnfo(immSeid) ; 

224  useStruct  argUse  IS  SEGuseInfo(parent ,  arg); 
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225  seid  argSeid  IS  argUse, instance: 

226  instanceStruct  arglnst  IS  SEGlnstancelnfo(argSeld) ; 

227  seid  argCopy 

228  IS  SOME  seid  s  I  SENseidNsp(s)  ■  SENseidNsp(exampleSegmentSeid) 

229  AND  SEClnstancelnfo(s)  ■  ?: 

230  tiiStmct  aTii  IS  Tllinfo(argSeid) ; 

231  tiiStruct  pTii  IS  Tllinfo (parent): 

232  tiiStruct  nTii  IS  STRVCT(aTii . nd .  aTii. da.  pTii. owner.  pTii. group, 

233  aTii.priv); 

234  EXCEPTIONS 

235  KEsegNotNull :  arglnst  -  ?; 

236  KEpvmBadSeg :  inrolnst  ■  ?  OR  NOT  SMXf low(parent ,  immSeid.  {daRead}); 

237  KEpvmBadDa:  NOT  SMXdap(parent ,  lnraSeid,  {daRead,  daExecute}): 

238  KEpvmArgSharable  arglnst. gl.  sharable; 

239  KEpvmArgNotWri table:  NOT  daWrite  INSET  argUse. da; 

240  KEpvmArgOverflow: 

241  NOT  addrRegRange(PVMargVloc. vAddr ,  SEGslze(argSeid),  arglnst .gl. growth) 

242  SUBSET  {0  ..  MACmaxReg}; 

243  KEpvmlromOverflow: 

244  NOT  addrRegRange(PVMimmVloc. vAddr,  SEGsize(imnSeid) ,  1  mains t.gl. growth) 

245  SUBSET  {0  ..  MACmaxReg}; 

246  RESOURCE  ERROR; 

247  ASSERTIONS 

248  PVMvmExistsCparent ) ; 

249  NOT  PVM vmExi s t  s ( chi  Id )  ; 

250  EFFECTS 

251  $(  create  a  copy  of  the  argument  segment) 

252  'Tllinf o(argCopy)  -  nTii: 

253  ' SEGinstanceInfo( argCopy )  *  STRUCT (arglnst .gl .  1.  arglnst .data) ; 

254  ' SEGuselnf o( chi Id .  PVMargDes)  -  argUse; 

255  $(  create  a  use  for  immSeid  in  child) 

256  'SEGuselnf o(chi Id,  PVMimmDes) 

257  ■  STRUCT (immSeid,  PVMimnVloc,  {daRead,  daExecute}); 

258  'SEGlnstancelnfo(lmmSeld) 

259  ■  STRUCT ( i mnlnst -gl ,  imnlnst .ref Count  +  1  imrlnst.data); 

260  'PVMsegmentSet(child)  »  {PVMimmDes,  PVMargDes}; 

261  'PVMmappedSegmentSet(child)  ■  {PVMimnDes,  PVMargDes}; 

262 

263  $( - — - -  support  for  PRO  fork  ■  —————— - - - ) 

264 

265  0FUN  PVPforkSupport(seid  parent,  child);  S(PVPforkSupport) 

266  $( creates  a  new  virtual  memory,  child,  that  is  a  copy  of  parent;  some 

267  segments  are  copied  and  others  are  merely  shared;  if  a  segment  is 

268  sharable  in  the  parent  process,  it  is  not  copied,  but  a  use  corresponding 

269  to  the  Instance  in  parent  is  created  instead;  if  the  segment  is  not 

270  sharable,  then  a  new  instance  of  the  segment  is  created,  requiring  the 

271  allocation  of  an  unused  seid;  in  either  case,  corresponding  segments  have 

272  identical  segment  designators  in  both  processes;  ouch  mechanism  In  this 

273  specification  is  devoted  to  describing  the  set  of  new  selds  created  and 

274  the  mapping  of  this  set  onto  the  set  of  new  segment  instances) 

275  DEFINITIONS 

276  INTEGER  nCopies 

277  IS  CARDINALITY 

278  ({segDes  sd  |  SECinstancelnf o(SEGuseInfo(parent . 

279  sd). Instance). gl .sharable 

280 


FALSE  }  ) ; 
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281 

282 

283 

284 

285 

286 

287 

288 

289 

290 

291 

292 

293 

294 

295 

296 

297 

298 

299 

300 

301 

302 

303 

304 

305 

306 

307 

308 

309 

310 

311 

312 

313 

314 

315 

316 

317 

318 


$(nunber  of  nonsharable  segments  In  parent  process) 

SET  OF  seld  copySet 

IS  SOME  SET  OF  seld  ss 

I  CARDlXAllTKss)  -  n Copies 

AND  (F0RALL  seld  s  INSET  ss 

SENsel dNsp(s)  -  SENseldNsp(exairoleSegmentSeld) 

AND  SEClnstancelnfo(s)  -  ?): 

$ (actual  set  of  new  selds) 

EXCEPTIONS 

RESOURCE  ERROR; 

ASSERTIONS 

PVMvmExists(parent ) . 

NOT  PVMvmExlsts (child); 

EFFECTS 

'PVMsegroentSet(child)  “  PVMsegmentSet (parent ) : 
'PVMirappedSegnientSet(child)  ■  PVMmappedSegmentSet (parent): 

FORALL  segDes  segd  |  SEGuselnf o(parent ,  segd). instance  ? 

:  LET  useStruct  use  -  SEGuselnf o(parent ,  segd): 
seld  segSeld  -  use . Instance ; 
instanceStruct  Inst  *  SEClnstancelnfo(segSeld) 

IN  (IF  Inst .gl . sharable 
THEN 

'SEGuselnf o(child,  segd)  ■  use 
AND  'SEClnstancelnfo(segSeld)  ■ 

STRUCT (1 ns t .gl ,  Inst .refCount  +  1.  Inst. data) 

ELSE 

(LET  seld  copy  INSET  copySet 

IN  'TIIlnfo(copy)  ■  'TIIlnfo(segSeid) 

AND  'SEGlnstancelnfo(copy)  ■ 

STRUCT (Inst .gl ,  1,  Inst. data) 

AND  'SEGuselnf o(chi Id,  segd)  » 

STRUCT (copy,  use.vloc.  use. da) 

AND  (FORALL  segDes  segdl  segd 

:  'SEGuseInfo(child,  segdl ). Instance 

' SEGuselnf o(chi Id.  segd) .Instance)) ) ; 


END  MODULE 
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1  $("  MODULE-  amt. specs  (version  2.29) 

2  CONTENTS  Security  Model 

3  TYPE:  SPECIAL. specifications 

4  LAST  CHANGED:  10/12/79,  10:11:23 

5  ") 

6 

7 

8  MODULE  smx 

9 

10 

11  $(  This  nodule  now  includes  what  used  to  be  the  contents  of  sax.  prv.  til. 


12 

syl  and  sen 

modules) 

13 

14 

TYPES 

15 

16 

$(from  smx  —  exportable) 

17  sel d :  DESIGNATOR; 

18  secureEntltyType :  {tFlle.  tDevice.  tTermlnal.  tProcess,  tSegment.  tSubtype, 

19  tExtent .  tNull}; 

20  prl vType ■  { 

21  prl vFl leUpdateStatus .  prlvLink,  prlvLockSeg. 

22  prl vModlfyPriv  prlvMount, 

23  privSetFUeLevel,  prl  vSetSegProcLevel . 

24  prl vStickySeg,  prl vTermlnalLock, 

25  prl vVlolSlmpSecurlty ,  prl vViolStarSecurlty, 

26  privVlolSimpIntegrlty,  prl  vVlolStarlntegrlty , 

27  prlvViolDlscrAccess,  prlvSlgnal,  privWalkPTable. 

28  prlvHalt .  privKernelCall .  prl vVlol Compart nents , 

29  privRealizeExecPermlsalons}; 

30 

31  daMode:  {daRead,  daWrlte,  daExecute); 

32  securltyCat:  DESIGNATOR; 

33  integrltyCat:  DESIGNATOR; 

34  domalnType:  {userDomaln.  super visor Domain) ; 

35 

36  $(from  snoc  —  redeclarable) 

37  nonDlsType:  STRUCT _0F( 

38  INTEGER  securityLevel ;  SET_0F  securltyCat  securityCatS: 

39  INTEGER  lntegrltyLevel;  SET  OF  IntegrltyCat  lntegrltyCatS); 

40  $(integrltyCat  Is  typically  the  null  set) 

41  daType:  SET  OF  daMode; 

42  modeStruct:  STRUCT _OF(daType  ownerMode,  groupMode,  allMode); 

43  tllStruct :  STRUCT _0F( nonDlsType  nd; 

44  modeStruct  da;  INTEGER  owner,  group;  SET  OF  prl vType  priv); 

45 

46 

47  PARAMETERS 

48 

49  INTEGER  SENmaxlndex  $(maxlnua  Index  component  of  a  said.  2*24  -  1), 

50  SENmaxNsp  $(maxlnum  nap  consonant  of  a  said,  2*8  -  1): 

51  INTEGER  SENlowLeval,  $ (system  low  level) 

52  SENhlghLevel;  $ (system  high  level) 

53 

54 

55 

56 


ASSERTIONS 
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57 

58 

59 

60 
61 
62 

63 

64 

65 

66 

67 

68 

69 

70 

71 

72 

73 

74 

75 

76 

77 

78 

79 

80 
81 
82 

83 

84 

85 

86 

87 

88 

89 

90 

91 

92 

93 

94 

95 

96 

97 

98 

99 
100 
101 
102 

103 

104 

105 

106 

107 

108 

109 

110 
111 
112 


FORALL  seid  el  s2-  (si  -  s2)  -  (SENseidNsp(sl )  -  SENseldNsp(s2 ) 

AND  SENsel dlndex(sl)  -  SENsel dlndex(s2) ) : 

SCthls  states  that  the  nap  and  Index  are  Isomorphic  with  the  seid,  and 
thus  uniquely  Identify  ft) 

SENlowLevel  <  SENhighLevel; 

^(defines  the  "greater  than"  relation  for  security  In  terms  of  the  Integer 
relation  ">") 

SYLgetHighO  INSET  {SENlovLevel  ..  SENhighLevel}; 

$(the  current  system  high  level  la  always  within  range) 

FORALL  seid  s  1  Tllinfo(s)  ? 

:  LET  nonDlsType  nd  ■  Tlllnfo(s) .nd 

IN  nd. securltyLevel  INSET  {SENlowLevel  ..  SENhighLevel} 

AND  nd.lntegrityLevel  INSET  {SENlowLevel  ..  SENhighLevel}; 

$(restrlcts  the  values  of  the  security  and  integrity  levels  for  any 
existing  objects) 


FUNCTIONS 


$(* 


sen  —  state  functions 


VFUN  SENseldNsp(seld  anySeld)  ->  INTEGER  nsp;  $(SENseldNsp) 

$(  this  Is  the  nsp  table  entry  component  of  a  seid) 

INITIALLY 

nsp  INSET  {0  ..  SENmaxNsp} ;  $(constralned  by  assertion  above) 

VFUN  SENsel dlndex(sei d  anySeld)  ->  INTEGER  Index;  $(SENseldIndex) 

$(  this  Is  the  Index  component  for  a  seid) 

INITIALLY 

Index  INSET  {0  ..  SENmaxIndex} ; 

$(also  characterized  by  assertion) 

VFUN  SENnspTypeC INTEGER  nsp)  ->  secureEntityType  set;  $(SENnspType) 

$(  gives  the  type  Information  as  a  function  of  the  nsp  component  of 
a  seid) 

INITIALLY  NOT  nsp  INSET  {0  ..  SENmaxNsp}  ->  set  -  7; 


$<- 


sen  —  seid  and  nsp  manipulation 


*) 


VFUN  SENsel dToInt (seid  anySeld)  ->  INTEGER  1; 

$( gives  the  Integer  corresponding  to  a  given  seid) 
DERIVATION 

SENseldlndex(anySeld)  4  2*24  *  SENseldNsp(anySeid): 


$ (SENsel dToInt) 


VFUN  SENseidType(seld  s)  ->  secureEntityType  set;  S(SENseldType) 

$(  returns  the  type  Information  pertaining  to  e  given  seid) 

DERIVATION 

LET  secureEntityType  setl  «  SENnspType(SENaeidNsp(s)) 

IN  IF  setl  -  7  THEN  tNull  ELSE  setl: 

VFUN  SENmskeS eld (said  exampleSeld;  INTEGER  Index)  ->  seid  rSeld; 

$(SENmekeSeld) 

$(  forms  a  said  with  an  nsp  the  same  as  the  example  said  and  the  given 
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113  Index;  seld  allocation  Is  now  done  by  Che  type  managers  for  the 

114  objects  In  question,  allowing  selds  to  be  reused  In  the  case  of 

115  objects  that  are  dynamically  allocated) 

116  ASSERTIONS 

117  Index  INSET  {0  ..  SENmaxIndex} ; 

118  DERIVATION 

119  SOME  seld  s  I  SENseidNsp(s)  -  SENseldNsp(exampleSeid) 

120  AND  SENseldlndex(s)  ■  Index; 

121 

122  $( - - - syl  functions - - - - - — — - ) 

123 

124  VFUN  SYLgetHighO  ->  INTEGER  level;  $(SYLgetHigh) 

125  $(  represents  the  current  highest  security  level  for  the  system) 

126  HIDDEN; 

127  INITIALLY 

128  level  *  SENhighLevel . 

129 

130  OFUN  SYLsetHlgh(INTEGER  level);  $(SYLsetHigh) 

131  $(  sets  the  current  highest  security  level  for  the  system  to  the  specified 

132  value) 

133  EXCEPTIONS 

134  KEsylTooHlgh:  NOT  level  INSET  {SENlowLevel  ..  SENhighLevel}: 

135  EFFECTS 

136  'SYLgetHighO  -  level; 

137 

138  $( - til  state  function - - - - - ) 

139 

140  VFUN  TIIinfo(seid  s)  ->  tilStruct  st;  $(TIIinfo) 

141  $(retums  the  type-independent  information  for  a  system  object;  this 

142  information  Includes  discretionary,  non-dlscretlonary,  and  domain  access 

143  controls,  privileges,  and  the  owner  and  group  for  the  object) 

144  HIDDEN; 

145  INITIALLY  st  -  ?: 

146 

147  $( - - - smx  functions  — - — - — - - - ) 

148 

149  VFUN  SMXhasPri v(seid  pSeld;  privType  priv)  ->  BOOLEAN  b;  $(SMXhasPri v) 

150  $(  tells  whether  a  given  object  —  usually  a  process  —  has  a  particular 

151  privilege) 

152  DERIVATION 

153  IF  Tllinfo(pSeid)  “«  ?  THEN  priv  INSET  TIIInfo(pSeid).pri v  ELSE  FALSE; 

154 

155  VFUN  SMXf low(seld  pSeld,  oSeld;  daType  da)  ->  BOOLEAN  b;  $(SMXflow) 

156  $(  tells  whether  a  given  subject  "pSeld"  can  access  a  given  object  "oSeld" 

157  with  the  Information  flow  specified  by  "flow",  according  to  the 

158  constraints  of  the  military  multilevel  security  model:  these  constraints 

159  do  not  apply  if  the  subject  has  the  proper  privilege) 

160  DEFINITIONS 

161  tilStruct  pTli  IS  Tlllnfo(pSeld): 

162  tilStruct  oTii  IS  Tllinfo(oSeid): 

163  DERIVATION 

164  IF  pTli  ?  AND  oTii  ? 

165  THEN  (daWrite  INSET  da 

166  ->  (NOT  SMXhasPri v(pSeid,  pri vViolStarSecurity) 

167  •>  pTli.nd.securityLevel  <■  oTii ,nd. security Level ) 

168  AND  (NOT  SMXhasPri v(pSeld,  pri vViolCompartmenta ) 
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169 

170 

171 

172 

173 

174 

175 

176 

177 

178 

179 

180 
181 
182 

183 

184 

185 

186 

187 

188 

189 

190 

191 

192 

193 

194 

195 

196 

197 

198 

199 

200 
201 
202 

203 

204 

205 

206 

207 

208 

209 

210 
211 
212 

213 

214 

215 

216 

217 

218 

219 

220 
221 
222 

223 

224 


■>  pTll .nd. security CatS  SUBSET  oTll . nd. securltyCatS) 

AND  (NOT  SMXhasPrl v(pSeid.  pri vViolSimpIntegrl ty) 

»>  pTll . nd. lntegrltyLevel  >*  oTli.nd.lntegrityLevel) 

AND  (NOT  SMXhasPrl v(pSeid,  pri vVlolCompartmenCs) 

■*>  oTii.nd.integrityCatS  SUBSET  pTii.nd.integrityCatS)) 
AND  (daRead  INSET  da 

■>  (NOT  SMXhasPrl v(pSeid,  pri vViolSimpSecurity) 

■>  oTii .nd. securltyLevel  <•  pTii.nd. securltyLevel) 

AND  (NOT  SMXhasPrl v(pSeid.  pri  vViolCompartments ) 

■>  oTii. nd.securltyCatS 

SUBSET  pTll .nd. securltyCatS) 

AND  (NOT  SMXhasPrl v(pSeid,  pri vVlolStarlntegrlty) 

■>  oTli.nd.lntegrityLevel 

>■  pTll . nd. lntegrltyLevel ) 

AND  (NOT  SMXhasPrl v(pSeid,  pri vViolCompartments) 

■>  pTii.nd.integrityCatS 

SUBSET  oTii.nd.integrityCatS)) 

ELSE  FALSE : 

VFUN  SMXdap(seid  pSeid.  oSeid:  daType  da)  ->  BOOLEAN  b:  $(SMXdap) 

$(  tells  whether  a  given  subject  "pSeid”  can  access  a  particular  object 
"oSetd"  according  to  the  discretionary  access  rules  of  the  system  — 
similar  to  those  of  UNIX) 

DEFINITIONS 

tiiStruct  p  IS  Tllinfo(pSeid); 
modeStruct  mst  IS  TIIlnfo(oSeld).da; 
tiiStruct  o  IS  Tllinfo(oSeid) ; 

BOOLEAN  access (daType  requested,  allowed) 

IS  requested 

SUBSET  allowed 

UNION  (IF  SMXhasPrl v(pSeid,  pri vReallzeExecPermlsslons) 
AND  daExecute  INSET  allowed 
THEN  {daRead} 

ELSE  {}); 

DERIVATION 
IF  o  *•  ? 

THEN  SMXhasPrl v(pSeid,  pri vViolDiscrAccess) 

OR  access (da.  mst.allMode) 

OR  (p. group  ■  o. group  AND  access(da,  mst .groupMode)) 

OR  (p. owner  ■  o. owner  AND  access(da,  mst.ownerMode)) 

ELSE  FALSE ; 


$( - - - ti  1  —  extraction  and  Insertion  functions - - — - ) 

0FUN  TIIcreateEntityLeveKseid  oSeid;  tiiStruct  ntli ): $(TIIcreateEntityLevel ) 
$(  Initializes  the  til  information  for  an  object  "oSeid";  the  object  mist 
not  have  currently  defined  tii  information;  this  Is  a  service  function 
required  for  the  creation  of  all  types  of  objects  In  KS0S) 

ASSERTIONS 

Tllinfo(oSeid)  -  ?: 

ntil.nd. securltyLevel  INSET  {SENlowLevel  ..  SYLgetHighO } : 
nt 11 . nd. lntegrltyLevel  INSET  {SENlowLevel  ..  SENhlghLevel } : 

EFFECTS 

'TIIlnfo(oSeid)  -  ntii; 

VFUN  TIIgetEntltyLe veKseld  pSeid.  oSeid)  ->  tiiStruct  ntii: 


snix. specs  Page  5 


Fri  Mar  27  15  34: 47  1981 


225  $(TIIgetEntityLevel ) 

226  $(Retrieves  the  tli  Information  of  an  object  named  by  "oSeld”,  as 

227  directed  by  process  "pSeid";  mandatory  and  discretionary  checks  are  also 

228  performed;  this  function  is  used  by 

229  functions  of  the  object-maintaining  modules,  which  provide  status 

230  information  to  the  object  that  is  concerned  with  getting  and  setting 

231  object  levels) 

232  EXCEPTIONS 

233  KEtiiNoObj:  Tllinfo(oSeid)  -  ?  OR  NOT  SMXf low(pSeid ,  oSeid.  {daRead}); 

234  DERIVATION 

235  Tllinfo(oSeid) ; 

236 

237  OF  UN  TIIsetEntityLeveKseid  pSeid,  oSeid;  tiiStruct  ntii); 

238  $(TIIsetEntityLevel) 

239  $(  sets  the  type-independent  information  for  an  existing  object 

240  "oSeid"  to  the  new  value  "ntii".  as  directed  by  process 

241  "pSeid",  the  privilege  to  set  level  is  always  required;  if  an 

242  object's  privileges  are  to  be  modified,  the  privilege  to  modify 

243  privileges  is  required;  because  only  privileged  programs  are  allowed  to 

244  Invoke  this  function,  no  ocher  security  checks  ■—  either  mandatory 

245  or  discretionary  —  are  made) 

246  DEFINITIONS 

247  tiiStruct  otii  IS  Tllinfo(oSeid); 

248  EXCEPTIONS 

249  $(prlvilege  checking  occurs  in  lev  module) 

250  KEtiiNoSetPriv: 

251  otii.priv  “»  ntii.priv  AND  NOT  SMXhaaPri v(pSeid,  pri vModifyPri v) ; 

252  KEtiiNoObj:  otii  -  ?; 

253  ASSERTIONS 

254  ntii  . nd . securi  tyLevel  INSET  {SENlowLevel  ..  SYLgetHighOJ; 

255  ntii . nd . integrl tyLevel  INSET  {SENlowLevel  ..  SENhighLevel}; 

256  EFFECTS 

257  'TIIinfo(oSeid)  -  ntii: 

258 

259  OFUN  TIIclearEntityLevelCseid  oSeid);  $(TIIclearEntityLevel ) 

260  $(  deletes  the  type-independent  information  for  an  object  "oSeid";  this 

261  function  is  used  for  implementing  functions  that  delete  objects  —  and 

262  thus  must  also  delete  the  til  info) 

263  EFFECTS 

264  'TIIinfo(oSeid)  -  ?; 

265 

266 

267  END  MODULE 
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C?D??  'j  f  S?*Xco;:.rare 

;Here*s  the  “odula  ?:c3ri.‘i  to  he  proven: 

vuUULs.  J'x; 

ot?  I  Nil  Sfr  xco.npa  ra 
JSE  SUOSetO''/ 


PKUCiUUKF.  5  Txco-or.r  e  (u  t  ii/  Uii:  tiistruct):  boolean; 
a  tu 1  *' 


S^xcor-oare  :=  (Lt  ii.  n  3.  securitylsvel  <=  Htii.nd.sacuritylevel )  AND 

suhsetoptLtii.^d.securitycatS/  Hti i.nd.securitycats)  AND 
( Lti l .nd. integrity leve l  >=  Htii  .na.  intear  it yleve  1 )  AND 

?unsetop(  Ltii.  na.  integr  itycats/  Kti  i  .r.d  .int  egr  ltycats  ); 
K.v.J  Srivcorcrar  e  ? 

Mil)  smr  . 


AKSir'C  SUX.  /  UOULA ) 
Parsing  starte  3 
(Parsing  Dor e) 
yp_pp  syxwiut^ff 


/S'irst,  the  “odula  progra-  Is  parsed 

jrfith  the  function  MP A PDF ,  in  the  TRANS. EXE 

/environment. 

?4ere's  th  upper-level  spec,  entered  with 
;the  Emacs  editor/  using  the  coyer-«.oore 
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(SmxcompaREMJDULE  jEmacs  -  LISP  interface. 

(OVENS  (3KXCOMPAEE  (LT1I  HTII) 

(VALUE  (AND  (NOT  (GREATERP  (SELECT  LTII  - 

(QUOTE  (HO 

SECURITYLEVEL)) 

STATE) 

(SELECT  HTTI  “ 

(QUOTE  (ND 

SECURITYLEVEL ) ) 
STATE)))  - 

(SUBSET  (SELECT  LTII  (QUOTE  (NO  SECURITYCATS. 
**) 

) 

STATE) 

(SELECT  HTI I  (QUOTE  (ND  SECURITYCAT* 

•*> 

) 

STATE) 

STATE) 

(NOT  (LESS?  (SELECT  LTII  M 

(QUOTE  (ND 

INTEGRITYLEVEL ) ) 


STATE) 

(SELECT  HTII 

(QUOTE  (ND 

INTEGRITYLEVEL)) 

STATE))) 

(SUBSET  (SELECT  LTII  (QUOTE  (ND 

INTEGRITYCATS)) 

STATE) 

(SELECT  HTII  (QUOTE  (ND 

INTEGRITYCATS)) 

STATE) 

STATE)))))) 

smxmuoule 

il _ Ht*  RRIMITIVEMUDULE  ;Here#s  the  lower-level  spec. 


(PRIMITIVE MODULE  (CVFNS  ( SU3SETCP  (X  Y) 

(VALUE  (SUBSET  X  Y  STATE))) 

(SELECT. RECORD  (STRUCTURE  FIELD) 

(VALUE  (SELECT  STRUCTURE  FIELD  STATE)-* 

**  j 


) 

(VF*IS  (SUBSET  (X  Y)) 

(SELECT  (STRUCTURE  FIELD)))) 

FK 1M1T1VEMUDULE 

TIJfV  pks  jThls  variable  PRS  has  been  set  to  be  the 


;?arsed  Modula  program  oy  MPARSE. 
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(MUUiJLt 

Snx 


(DEFINE  Snixcorpare ) 

(USE  suhsetor) 
(((PKUCKOURE 
Snxcoffloar e 
((CONST  (Ltii  litii) 
ti (struct)) 

NIL 

(tfiL 


(HEGIN 

(:=  Suxcomoare 

(AMO  DP  (ANDQP  (ANDO?  (LESSOREQUALOP 

(SELECT.RECORD  (SELECT. RECORD 
Ltii 

(QUOTECP  (nd))) 

(QUOTEOP  (securitylevel)) 

** ) 

(SELECT.RECORD  (SELECT. RECORD 
Htii 

(QUOTEOP  (nd))) 

(QUOTEOP  (securitylevel)) 

**) 

) 

(sub seto?  (SELECT.RECORD 

(SELECT.RECORD 

Ltii 

(QUOTEOP  (nd))) 

(QUOTEOP  (securitycats))) 
(SELECT.RECORD 
(SELECT.RECORD 
Htii 

(QUOTEOP  (nd))) 

(QUOTEOP  (securitycats))))) 
(3REATER0REQJAL0P  (SELECT.RECORD 

(SELECT.RECORD 

Ltii 

(QUOTEOP  (nd))) 

(QUOTEOP  (ir.tegritylevel) )) 
(SELECT.RECORD 
(SELECT.RECORD 
Htii 

(QUOTEOP  (nd))) 

(QUOTEOP  (integrity level) ) ) ) ) 
(subsetop  (SELECT.RECORD  (SELECT.RECORD  Ltii 

(QUOTEOP 

(nd))) 

(QUOTEOP  ( integritycats) ) ) 
(SELECT.RECORD  (SELECT.RECORD  Htii 

(QUOTEOP 

(nd))) 

(QUOTEOP  (integritycats)))))) 


NIL)) 


NIL)))) 


/ 
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PH  S 

2tt_ARGi.  lsi'f  TPA  msl;  tE  >  ;Just  chec<ing  to  sea  the  order  of  the 

(PAKSED-PROGKAM  t.'F*E  RVQ0'!Lr  LOWEPMODyLS)  Arguments  to  TRANSLATE. 

^y.tXKANGLATE  HRS  S  i  X.vod'JLE  PRIM  HI  VEKODULS  )  ; Invoking  TRANSLATE  on  the 

jparsed  program/  the  upper-level  specs/  and 

Aoout  to  unuo  DEFINE  lists  ;the  lower-level  specs* 

DEFINE  lists  undone 

About  to  disambiguate  name  duplications 

Renaming  done  jThis  stuff  lust  messages  from  TRANSLATE. 

ADOut  to  make  integer  substitutions  for  Types  and  Constants 
constants  and  Typos  replaced  by  integers 

About  to  perform  translation 
Translating  finished 

ADOut  to  do  some  optimization 
Uptimizing  dona 

Aoout  to  splice  In  avception  handling  dumps 
Splicing  done 

t Processing  Com?  U-ated“G“C'‘G‘*G'*G'‘G'‘G','G,*GAG'*G'‘G“G) 

3U_PP  RIJN-PROG  ;rhis  is  the  result  of  the  TRANSLATE  call. 

((VPNS) 

(UVFNS  (SMXCOyPARr  ((ASSIGN  30001  (OU0TEGP  ( ND  )  )  ) 

(ASSIGN  S  0002  (SELECT. RECORD  LTII  S0CC1)) 

(ASSIGN  S0003  (QUQTEQP  (SECUFITYLEVEL ) ) ) 

(ASSIGN  50004  (SELECT . RECORD  SD0G2  S0003)) 

(ASSIGN  S 0005  (0UDTE3P  (ND))) 

(ASSIGN  S0006  (SELECT. RECORD  dTII  S0C05)) 

(ASSIGN  S 0 0 0 7  (O'JOTEu?  (SECURITY LEVEL))) 

(ASSIGN  S0008  (SELECT. RECORD  S0006  S0CC7  ) ) 

(ASSIGN  S 0009  (LESSOREQIJ  ALOP  S-004  SG008)) 

(ASSIGN  SflOlO  (QUOTED?  (ND))) 

(ASSIGN  S0011  ( SELECT. RECORD  LTII  S0010)) 

(ASSIGN  S  0012  (00 07 SOP  (3ECURI7YC ATS) ) ) 

(ASSIGN  S0013  (SELECT. RECORD  S0011  SC012)) 

(ASSIGN  30014  (QUOTED?  (ND))) 

(ASSIGN  S0015  (SELECT. RECORD  PTII  S0C14)) 

(ASSIGN  SOOlo  (QOOTSOP  ( SECUPI T VC ATS ) ) ) 

(ASSIGN  S 00 1 7  (SELECT. RECORD  SC015  SC016)) 

(ASSIGN  S0018  (SUBSETOP  SC013  30C17)) 

(ASSIGN  S0019  (ANDOP  S 3009  S0018)) 

(ASSIGN  S002C  (QUOTED?  (ND))) 

(ASSIGN  S0Q21  ( SELE CT . RECO RD  LTII  SC020)) 

(ASSIGN  5  00  22  (QUOTFDP  (INTEGRITYLEVEL) ) ) 

(ASSIGN  SO 0 23  (SELECT. RECORD  S0021  S0C22)) 

(ASSIGN  S  0  0  2  4  (QUOTED?  (ND))) 

(ASSIGN  SC025  (SELECT .PECORD  *TII  50024)) 

(ASSIGN  50026  (QUOTEOP  ( INTEGRITVLEVFL) ) ) 

(ASSIGN  SC027  (SELECT. RECORD  S0025  SCC  26)  ) 

(ASSIGN  S0028  (GREATEPOREQUALO?  50023  S0027)) 


/ 
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(ASSIGN  S0029  ( 4 NOD3  S0019  30028)) 

(ASSIGN  30030  (QUOTED?  (NO))) 

(ASSIGN  3  0031  (SELECT. RECORD  LTII  S0C30)) 

(ASSIGN  30032  (QUOTED?  (INTEGRITiCATS ) ) ) 

(ASSIGN  SC033  (SELECT. RECORD  S0031  S0"32)) 

(ASSIGN  SCC34  (OU.OTEO?  (  N  D  )  > ) 

(ASSIGN  S 0 0 3 5  (SELECT. RECORD  HTII  S 0034)) 

(ASSIGN  30036  (QUOTED0  (  INTEGRITYCATS)  )  ) 

(ASSIGN  30037  (SELECT . RECORD  S0035  S0036))  ■ 

(ASSIGN  S0038  (SUBSETQP  S0033  30037)) 

(ASSIGN  AC  1  (ANDCP  S0C29  30033)) 

(ANSWER) )  ) 

(SMX  NIL)) 

(INITIALIZATION) 

(INVARIANT) 

(DEFINITIONS  ) 

( GLUH  AL • VARIABLES)) 

NJN-PRUG 

3l_OwiHnLt.( )  ji  saved  the  specs  and  translation  on  a  file 

;for  use  in  VC  generation  and  proving.  Recall 
/that  the  tools  for  these  processes  are  in  a 
;different  environment:  CIrVCG.EXE. 

;5o/  now  I'm  in  the  new  environment.  I've 
/loaded  the  things  I  saved  previously  into 
32_(  MAF.E.  VC S  RUN-PROG  SSXMOULS  PRIwlTIVEMODULE)  ;this  environment.  I  begin 

Jby  invoking  MAKE.VCS  on  the  implementation/ 
(Argument  (t;u)  in  (QUOTEOP  (ND))  not  a  LlTATOy)  ;and  the  specs. 

/All  or  tne  massages  appearing  hece  are  warnings  from  the  VCG.  Looking 
;at  the  C  IK  (RUR-PR.OC)  you  should  be  able  to  tell  why  they're  here*  Can 
?youv  (cneck  hack  to  the  3oyer-Moore  formalization  of  liDM.) 

collecting  lists 
4UZ2/  10166  free  cells 

(Argument  (S'-’CURIT  YLEVEL)  in  (QUOTEOP  ( SECURITY  LEVEL ) )  not  a  LITATOM) 

(Argument  (ND)  in  (Q10TF.OP  (Mj))  not  a  LITATOM) 

(Argument  ( SECURITYLr.VEL )  in  (QUOTEOP  ( SECURITYLEVEL) )  not  a  LITATOM) 

(Argument  (N !))  in  (QUOTEOP  (ND))  not  a  LITATn*i) 

(Argument  ( SECURITYC A^S)  ir  (QUOTEOP  (SECU R ITiCATS ) )  not  a  LITATOM) 

(Argument  (ND)  ir.  (QUjTjTip  (NO))  not  a  LITATQv) 

(Argument  (StCURITYCATS )  in  (QUOTEOP  (SECURITY CATS ) )  not  a  LITATOM) 

(Argument  (NU)  in  (QUOTEOP  (ND))  not  a  LITATOM) 

(Argument  (ifiTEGRIT(LEVEL)  in  (QUOTEOP  (INTEORITYLEVEL) )  not  a  LITATOM) 
(Argument  (.ND)  in  (QUOTEOP  (ND))  not  a  LITATOM) 

(Argument  ( INTSCRI TYLEVEL)  in  (QUOTEOP  (INTEGRITY LEVEL))  not  a  LITATOM) 
(Argument  (MJ)  in  (QJDTEOp  ( "  D ) )  not  a  LITATOM) 

(Argument  ( 1NTEGRITYCA TS )  in  (QUOTEOP  (INTEGRITYCAT5))  not  a  LITATOM) 

(Argument  (NU)  in  QUOTEOP  (ND))  not  a  LITATOM) 

(Argument  ( INTEGRITY  CATS)  in  (QJCTEOP  (INTEGRITY CATS))  not  a  LITATOM) 


>  <HCPKIJUF>SMX •  US I3?Lr •  2  Tue  l-Jan-80  11:37PM 


Page  1:5 


*  j  * .7  *  j 


* G "  G * G * G * G * G * G~ 3 * C* GA  G*  G“  G**  G“  G*  G*  G“  G~ G*  G~  G“ 
**~G*';‘'C*C~G*G*G~S'KG~G-G*G'>G~G~G~G~G“G 
***GAG‘‘G~G*G<*G'‘G‘‘G*G*C*G'*'G'‘G*G*'G*G*C‘*G 


3i_P“  vcu.WESjLT  jMAKE.VCS  has  stored  th*  list  of  VCs  to 

;be  proved  here/  in  VJG. RESULT 

CtCL'w-'fc'NT 

L'UKKciC'i'i'Ic.SS .  OF .  "’’HE .  IMPLEMENTATION.  OF.  SFX COMP  APEMOQULE  •  ON  .P  RIM  ITI VEX  GCULE  ) 
(JCL  STATE  NIL) 

(UCL  STATE*  ,’JIL) 

(UCL  IJ  EG  IN  NIL) 
l UCL  .McWSTATt  V TL  ) 

(JCL  NEXT  ( STATE) > 

(UCL  SUBSET  (X  V  STATE)) 

(UCL  SELECT  (STRUCTURE  FIELD  STATE)) 

(UCL  TKUECP  (STATE)) 

(JCL  KAL5S0P  ( 3 TA rE ) ) 

(UCL  UNUEFOP  (STATE)) 

(UCL  KQUALOP  (X  Y  STATE)) 

(UCL  NEOUALOP  (X  ’•*  STATS)) 

(JCL  ZSRGPQP  (X  STATE)) 

(UCL  UhtATLKPCP  (X  v  STATE)) 

(UCL  LSSSPDP  (X  Y  S" ATS  ) ) 

(UCL  JUU1UP  (X  STATE) ) 

(JCL  PuUSUP  (X  Y  STATE)) 

(UCL  U IFF ERtNCEOP  (X  Y  STATS)) 

(UCL  NUVBKkPOP  (X  STATE)) 

(UCL  UKiATEROREQU ALOP  (X  Y  STATE)) 

(JCL  LESSOrfS-JUALJ’  (X  Y  STATE )) 

(UCL  UkUP  (X  Y  STATS)) 

(UCL  ANOLiP  (X  Y  S  TAWE )  ) 

(UCL  QUUTfcOP  (X  S^A^E) ) 

(JCL  SUPSETOP  (X  Y  STATS)) 

(UCL  St.Lc.CT .ftFC3En  (STRUCTURE  FIELD  STATE)) 

(UCL  SmYCUMPARE  (LTU  H TIT  STATE)) 

(CUMMfcNT  CORRECTNESS, OF. INITIALIZATION. OF. SMXCOMPAREMODULE) 

(CUMMENT  INPUT. TO. 0JT°UT) 

(PHUVUi. LEMMA  CONCLUSION  NIL  (TRUE)) 

(UNUO.BACX.  TriKQU3‘»  INPUT. TQ. OUTPUT) 

(COMMENT  STATE. EQUIVALENCE) 

(AUJ. AXIOM  HYPQT(ESTS  (REWRITE) 

(AND  ( EQUAL  (SUBSET  X  Y  (NEW  ST  ATE)) 

(SUBSET  X  Y  (STATE))) 

(EQUAL  (SELECT  STRUCTURE  FIELD  (NEW STATE) ) 

(SELECT  STRUCTURE  FIELD  (STATE))))) 

(t'KUVfc.Li  WK  \  CONCLUSION  NIL  (TRUE)) 

(UNUQ.aACX. THROUGH  ST  AT". EQUIVALENCE) 

(UNDO,  b  AL<#  ThRQUGH  CGRRSCTNES  S. OF  .INITIALIZATION.  OF.  SilXCQMP  ARF.'ODULE  ) 
(COMMENT  COHKECTNESS.OF .SMXCDM? ARE) 

(UCL  H T 1 1 *  NIL ) 

(UCL  LTU*  NIL) 
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(CUM«fcN'r  INPUT. TO. OUTPUT) 

(PRUVK  .LEf'MA 
CUNCLUSiON  NIL 

(EQUAL  (AND  (AND  (AND  (NOT  (GPEA7ERP  (SELECT  (SELECT  (LTII*) 

(QUOTE  (HD)) 
(STATE*)) 

(QUOTE  (SECURITY LEVEL)) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(QUOTE  (NO)) 
(STATE*)) 

(QUOTE  (SECURITYLEVEL) ) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LIII*) 

(QUOTE  (ND  )  ) 

(STATS*)) 

(QUOTE  (SECURITYCATS)) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(QUOTE  (ND)) 

(STATE*)) 

(QUOTE  (SECURITYCATS)) 
(STATE*)) 

(STATE*))) 

(NOT  (LESSP  (SELECT  (SELECT  (LTII*) 

(QUOTE  (ND)) 

(STATE* ) ) 

(QUOTE  (INTEGRITYLEVEL)) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(QUOTE  (NO)) 

(STATE*)) 

(QUOTE  (INTEGRITYLEVEL)) 
(STATE*))))) 

(SURSET  (SELECT  (SELECT  (LTII*) 

(QUOTE  (ND)) 

(STATE*)) 

(QUOTE  (INTEGR ITYCATS) ) 

(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(QUOTE  (NO)) 

(STATE*)) 

(QUOTE  ( INTSGRITYCAT3  )  ) 

(STATE*)) 

(STATE*))) 
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(AMD  (NOT  (GREATFRP  (SELECT  (LTII*) 

(QUOTE  (ND  SECURITY LEVEL)) 

(STATE*)) 

(SELECT  (HTII*) 

(QUOTE  (ND  SECURITYLEVEL)) 

(STATE*)))) 

(SUPSET  (SELECT  (LTII*) 

(QUOTE  ( ND  SECURITYCATS)) 

(STATE*)) 

(SELECT  (HTII*) 

(QUOTE  (ND  SECURITYCATS) ) 

(STATE*)) 

(STATE*  )) 

( NOT  (LESSP  (SELECT  (LTII*) 

(QUOTE  (ND  INTEGRITYLEVEL)) 

(STATE*)) 

(SELECT  (HTII*) 

(QUOTE  (ND  INTEGRITYLEVEL)) 

(STATE*)))) 

(SJSSET  (SELECT  (LTII*) 

(QUOTE  (ND  INTEGRITYC ATS ) ) 

(STATE*)) 

(SELECT  (HTII*) 

(QUOTE  (N)  INTEGRITYCATS)) 

(STATS*)) 

(STATE*))))) 

(UNUU.b ACK. THROUGH  INPUT. TQ. OUTPUT ) 

(CU*MENT  STATE. EUIYALENCS) 

(ADO. AXIOM  HYPOTHESIS  (REWRITE) 

(AND  (PQUAL  (SUBSET  X  Y  (NEWSTATE)) 

(SUBSET  X  Y  (STATE))) 

(EQJAL  (SELECT  STRUCTURE  FIELD  ( NF.WSTATE)  ) 

(SELECT  STRUCTURE  FIELD  (STATE))))) 

IPRUVE. LEMMA  CONCLUSION  NIL  (AND  (EQUAL  (SUBSET  VI  V2  (NEWSTATE)) 

(SUBSET  VI  V2  (STATE))) 

(EQUAL  (SELECT  VI  V2  (NEWSTATE)) 

(SELECT  VI  V2  (STATE))))) 

(UNUO.bACX. THROUGH  STATE. EQUIVALENCE) 

(JNUO. HACK. THROUGH  CORRECTNESS.Of.SMXCOMPARE) 

(UNDO. BACK. THROUGH 

CUKKfjc  iNESS.OE.THp.  IMPLEMENTATION.  OF.  SMXCOMPARSMODULE. ON.  PRIMITIVE  MODULE)) 
VCG. RESULT 

34JPR  axiuv1  AXIOM 2  ;?art  of  the  axioioattzation  of  structures 

/requires  the  following  two  axioms.  They  are 
(AUU.AXIUM  IDENTITY. OF. SELECT  (REWRITE)  ;addad  to  the  list  of  theorem 

(EQUAL  (SELECT  S  NIL  STATE)  jprover  events. 

S)> 
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(ADD.  AVIUM  ASSOCIATIVITY. OF. SELECT  (REWRITE) 
(EQUAL  (SELECT  (SELECT  S  PI  STATE) 
P  2  STATE) 

(SELECT  S  (APPEND  PI  P2> 
STATE)) 


NIL) 

(AXiUMl  AXIOM2) 
3t>_DKlBBLt() 


)Here  is  the  proof  of  SMXMOOOLA  on  PRIMITIVEMQDULE 


<LISP>LISP.EXE.132 
<MOORE>CODE..4 
<HIER>C0DE1..2 
<MQORE>OATA..4 
<H IER>D  AT  Al. . 2 


Friday/  November  16/  1V79  8:25PM-PST 

_CUMMbNT( 

CUKBECTNbSS.  OF  .THE  . IMPLEMENTATION. OF.SMXCOMP  AREMODULE .ON .  PRIMI TI VE MODULE 
) 

CUKKEC'fNKSS.Or'  .THE.  I  VP  LEM  ENT  AT  ION.  OF.  SMXC04PAREM03ULE.  Od.  PRIMITIVEMQDULE 


„OCU STATE  NIL  ) 
STATE 


_UCL{ STATE*  NIL) 
STATS* 


.DLL (BEGIN  NIL) 
BEGIN 


_OCUNE*STATE  NIL) 
NENSTATE 


}  <KCHRUOF>SV!X.DRI3'L".2  Tue  l-Jar-80  11:37PM 


Page  1:9 


_UCL(.'«KXT  (STATE  )) 
NEXT 


_JCL(SU’JSET  (X  Y  S T A " L)  ) 
SUBSET 


.UCHSELKCX  (STRUCTURE  FIELD  STATE)) 
SELECT 


_UCL(TKUEUP  (STATE)) 
TRUSUP 


_UCL(FALSfcCJP  (STATE)) 
FALSE UR 


_JCL(U  NOKFHf'  (STATE)) 
UNUfcFOP 


_UL'L(  EOUALCP  (X  V  STATE)) 
ECUAlUm 


_UCL( NE7UALUP  (X  Y  STATE)) 
NEUUALU? 


_UCL( ZERUPOP  (X  STATE)) 
ZE  RUPDP 


_JCL(UREATEKRQR  (X  Y  STATE)) 
GRtAThRPHP 


.ULULESSPUP  (X  Y  STATE)) 
LESSROR 


_UCL(AUU1UP  (X  STATS)) 
AUU1UP 


_UCL( PLUSUP  (X  Y  S^ATE ) ) 
PLUSUR 


/ 
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_UCUUlF5‘fc.HE’lC3CP  (X  Y  STATE) ) 
U  lFFERKNCSUI 


_UCL(UU.!BSRPUP  (X  ST  AT?  ) ) 
NU  MSEHP'jF 


_UCL(  GREATER  Ok  EwlJALO*  (X  Y  STATE)) 
UKEATEKOR£nUALQP 


_  J CL  (L  ►  SSOKEOJ  ALQ?  ( ."  Y  STATS  )  ) 
LESSUKE )MAL3P 


.ut'UUKUP  (X  Y  STATE)) 
DROP 


_UCL(  ANUUP  (X  y  ST  AT")) 
AMOUR 


.UCUQUOTtOF  (  X  STATr  )  ) 
QUOTEPK 


JCUSU  list  TOP  (X  Y  STATE)) 
SUBSETUP 


.UCU SELECT. RECORD  (STRUCTURE  FIELD  STATE)) 
SELECT. RECORD 


-DCL(S'1XCOrtPAKE  (LTII  RTII  STATE)) 
SMXCURP ARE 


_  ADD.  AXIOM  IDENTITY.  OS'. SELECT 

(REWRITE) 

(EQUAL  (SELECT  3  NIL  STATS)  5)) 

UENTJ.TY.GF.  SELECT 


_AUU.  AXIOM  ASS  DC  1  ATI’.' I"  Y.  OF.  SELECT 
(RESPITE) 

(EOJAL  (SELECT  (SELECT  S  PI  STATE)  P2  STATE) 
(SELECT  3  (APPEND  PI  P2)  STATE)) 

NIL) 

ASSUCi ATI  V  IT Y. OF. SELECT 
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_CUM.it'  NT(  CUnREu'TMESS.  u?  •  I N ITI AL 1 7  ATIEN'.  OF .  S.iXCUMR  ASE'*01UL£ ) 
CUKKtC'l' NESS.  OF  • i SITI  AL IZ AT  10M • QF •  C'XCC'iP  ARF',0DUL!: 


_CUMMfc.NT( INPUT. TO.  OU  TOUT) 
1NPJT.TJ.  JllTPJT 


_t'PUVt:.LL.NuA(CUNrLU3  ION  NIL  ?} 

Tnis  conjecture  simplifies/  clearly/  to: 

( TRUE) . 

Q  .  K  . !) . 

Load  average  during  proof:  1  . 1344*04 

Elapsed  time:  1.CF5  seconds 

CPU  tire  (devoted  to  theorem  proving): 

cc  time:  u.o  seconds 

10  time:  .096  seconds 

CUNSes  consumed:  5) 
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.124  seconds 


PKUVEU 


V  _U  NUU. B AUK •  THR  OUCH  ( I  ’i?UT.  TO.  OUTPUT  ) 

UPKGVE.LEVIi  A  CuNCLUSlON  NIL  (TRUE))  (COMMENT 
INPUT. TO. OUT PUT)) 


_CUM1tNT( STATE. EMU  I VALENCE) 
ST  ATE. EQUIVALENCE 


_Al)U  .AXIOM  (hYP  aTHESI" 

(RE.WRITF) 

(AND  (EQUAL  (SUPSET  X  Y  (NEWSTATE)) 

(SUPSET  X  Y  (STATE))) 

(“''UAL  (SELECT  STRUCTURE  FIELD  (NEWSTATc) ) 
(SELECT  STRUCTURE  FIELD  (STATE))))) 

HYPOTHEC  IS 


r 


;  <KCPKJL'OSMK.nIa3',L".2  Tue  1-Jan-BO  11:37PM  5sge 

a?!f'u!*s rev  «il  t) 

Tnis  formula  s  mp  1  if  i  es,  clearl//  to: 


(TPUE). 


Q.E.U. 


Load  average  during  proof:  1.232444 

Elapsef  ti^e!  .225  seconds 

CPU  tine  (devoted  to  theorem  proving): 

«C  tl"“!  U.O  seconds 

1J  tine:  .  GP1  secon-’s 

CUNSes  consumed:  50 


i. 


PKUVEU 


.107  seconds 


_U  NUO.  »  ACK .  TUS  OUGH (S"ATE. SqUI  VAL  ENCE  ) 

((PHm/K.  LEMMA  CUNCLUS InN  NIL  (TR'^S )  )  (ADr'.AXlOv>  HYPOTHESIS  ( 
KhWKlTt)  <  ANU  (EO'JAL  (SUBSET  X  Y  (NEWSTATE))  (SUBSET  X  i  ( 
STATK)))  (EL'JAL  (SELECT  STPJCTJRE  EIELD  (NE*STATE) )  (SELECT 
ST KUCXUKfc  pi  ELI)  (STATE)))))  (C?M'»  ENT  STATE .EQUIVALENCE ) ) 


J  NUU. HACK. THROUGH ( 

UUKKECTNK SS.TF. INITIAL IZATiaN.TF.SMXCCMPARFMCDULE) 

UCUMMKNT  EOKKECTNESS.7F.  INITIALIZATION.  OF  .SvXCOMP  ARSilTOULE) 

) 


_C UMME NT ( CORRECTNESS .  G5, .  SMXCCMP  APE  ) 
UUKKKCTiNESS.flF  .a"XC3'-'P  ARE 


.JCUdTil*  NIL) 
HT  11* 


_UCL( LTii*  MIL) 
L  T  1 1 ' 


:12 


_COKMEHT( INPUT .Tn. OUTPUT  ) 
INPUT. TU.UUT PUT 


AD-AU1  563  FORD  AEROSPACE  AND  COMMUNICATIONS  CORP  PALO  ALTO  CA  W— ETC  F/6  17/2 

(KSOS)  KERNEL  VERIFICATION  RESULTS.  KERNEL I ZED  SECURE  OPERATING— ETC tU) 
OEC  SO 

UNCLASSIFIED  WDL-TR9001  NL 
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rKUVS.LKMVMC  JNCLtfS  U"  ,JIL 
(EQUAL 
(nr> 

(  A\0 
(AND 
(ND* 

(GREATER? 

(  SSL EC  T 

(SELECT  (LTI I* )  (QnCTa  (HD))  (STATE*) ) 
(QUOTE  (SECURITYLEVEL) ) 

(STATE*)) 

( 3£L  EC  T 

(SELECT  (HTII*)  (QUOTE  (ND>>  (STATE*)) 
(QUOTE  (SECJRITYLEVEL)) 

(STATE*)))) 

( s  j  r.SFT 
(SELECT 

(SELECT  (LTIT*)  (QUOTE  (HD))  (STATE*)) 
(QUOTE  (SEC) RITYC  ATS ) ) 

(STATE*)) 

(SELECT 

(SELECT  (HTII*)  (QUOTE  (ND) )  (STATE*)) 
(QUOTE  (SECJRITYCATS) ) 

(STATE*)) 

(3m ATE*  ) ) ) 

(HOT 

(LESS3 

(SELECT 

(SELECT  (LTIT*)  (QUOTE  (ND )  )  (STATS*)) 
(QUOTE  ( INTEGRITYLEVEL)  ) 

(STATE* ) ) 

(SELECT 

(SELECT  (HTII*)  (QUOTE  (NO))  (STATE*)) 
(QUOTE  (INTEGRITYLEVEL)) 

(STATE*))))) 

(SUHSrT 

(SELrCT 

(SELECT  (LTIT* )  (QUOTE  (ND))  (STATE*)) 
(QUOTE  (INTSGRITYCSTS)) 

(STATE*)) 

(3SLTCT 

( SELECT  (HTII*)  (QUOTE  (NO)  (STATE*)) 
(QUOTE  (INTEGRITYCATS)) 

(STATS*)) 

(STA’-'E*))) 

(AND 
(  HOT 

(GREATER*  (SELECT  (LTII*) 

(QUOTE  (ND  SECURITYLEVEL)) 
(STATE*)) 

(SELECT  (HTII*) 

(QUOTE  (ND  SECURITYLEVEL ) ) 
(STATE*)))) 
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(SU33"-T  (SELECT  (LTII*) 

(QUOTE  (NO  SECU  RITYCAT3 )  ) 
(STATE*)) 

(SELECT  (Mill*) 

(QUOTE  ( NO  SECURITYCATS)) 
(STATE*)) 

(STATE*)) 

(NOT 

(LESSP  (SELECT  (LTII*) 

(QUOTE  (NO  INTEGRITYLEVEL) ) 
(STATE*)) 

(SELECT  (HTII*) 

(QUOTE  (ND  TNTEGR1TYLEVEL) ) 
(STATE*)))) 

( SUP SET  (SELECT  (LTII*) 

(QUOTE  (ND  INTEGRITYCAIS ) ) 
(STATE*)) 

(SELECT  (HTII*) 

(QUOTE  (ND  INTEGRITYCATS)) 
(STATE*)) 

(STATE*))))) 

Tnis  simplifies/  exanniing  t&e  definitions  of  GRSATERP/  NOT/ 
and  AND/  to  13  new  goals* 


case  l.  (Implies 
(AND 


(LESSP  (SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QJOTE  SECURITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(C'.NS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL) 
(STATE*))) 

(LES3P  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  HD)  NIL) 
(STATE*) ) 

(CONS  (QUOTE  INTEGRITYLEVEL)  MIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*))) 

(NOT 

^ (SELECT  (HTII*) 

(CONS  (QJOTE  N3) 

(CONS  (QUOTE  SECURITYLEVEL)  MIL)) 
(STATE*)) 


I 
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i 


( 


(SELECT  (L?II*) 

CONS  (QUOTE  NO) 

(CONS  QUOTE  SEC'JRITYLEVEL)  NIL)) 
(STATE*)))) 

(NOT 

(LES3P 

(SELECT 

(LTII* ) 

(CONS  (QUOTE  NO) 

(CONS  (QJOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT 

(HTII*) 

(CONS  (QJQTE  N) ) 

(CONS  (QUOTE  INTEGR1TYLEVEL)  NIL)) 
CTATE* )) ) ) 

(SUBSET 

(SELECT  am*) 

(CONS  (QUOTE  ND) 

(CONS  QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND) 

(CONS  QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(STATE*))) 

(NOT 

(SUBSET 

(SELECT  (LTI I*) 

CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECURITYCATS)  NIL)) 
(STATE*)) 

(SELECT  (HTII* ) 

CONS  QUOTE  ND) 

(CONS  (QUOTE  SECURITYCATS)  NIL)) 
(STATE*)) 

(STATE*)))). 


i  . 

i 


< 


This  ajain  simplifies/  rewriting  with 
ASSOCIATIVITY. OF. SELECT/  CAR. CONS/  and  CQR.CONS/  and 
expanding  tne  function  APPEND/  to: 

(TRUE). 
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Case 


(IMPLIES 

(AND 

( LESSp  (SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)  . 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL) 
(STATE*))) 

(NOT 

(LESSP  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGPITYLEVEL)  NIL) 
(STATE*)))) 

(NOT 

/ If  CCD 

(SELECT  (HTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  (LTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECJRITYLEVEL)  NIL)) 
(STATE*))  )) 

(NOT 

(LESSP 

(SELECT 

(LTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
('TATE*)) 

(SELECT 

(UTII*  ) 

(CONS  (QUOTE  NO) 

(CONS  { GJOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)))) 

(SUBSET 

(SELECT  (LTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 


:16 


u 
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C  (SELECT  ( HT II*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYCATS)  ‘IIL)) 
(STATE*)) 

(STATS*))) 

(NOT 

(SUPSET 

(SELECT  (LTII* ) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECJRITYC ATS)  NIL)) 
(STATE*)) 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECURITYC ATS)  NIL)) 
(STATE*)) 

(STATE*))))/ 

which  we  again  simplify/  applying  the  lemmas 
ASSOCIATIVITY. OF •SELECT/  CAR. CONS/  and  CDR.CONS/  and 
untoldlng  the  function  APPEND/  to* 

(TRUE). 

Case  3.  (IMPLIES 
(ANQ 

,  (NOT 

V  (LESSP  (SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECU9ITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURI TYLEVEL)  NIL) 
(STATE*)))) 

(SHPSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SEC JRITYCATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECUKITYCAT S)  NIL) 
(STATE*)) 

(STATE*)) 


C 


/ 
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(LESSP  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  HID 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND )  NIL) 
(STATE*)) 

(CONS  (QJOTE  INTEGRITYLEVEL)  NIL) 
(STATE*))) 

UOT 

(LESSP 

(SELECT  (HTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  CLTII*) 

(CONS  (QUOTE  ND ) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)))) 

(NOT 

(LESSP 

(SELECT 

( LTTI* ) 

(CONS  (OJOT3  NO) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT 

( ITII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)))) 

(SUBSET 

(SELECT  (LTII*  ) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STAi'E*)) 

(SELECT  (HTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(STATE*))) 

(NUT 

(SUBSET 

(SELECT  (LTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECURITYCATS)  NIL)) 
(STATE*)) 

(SELECT  ( 3 T 1 1 * ) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECURITYCATS)  NIL)) 
(STATE*)) 

(STATE*)))). 
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(  But  tnis  simplifies  again/  ap?l/lng 

ASSCJClVflY  IT  Y» OF  ‘SELECT/  CAR. CONS/  and  CHR.CONS,  ani 
expanding  the  function  APPEND,/  to. 

(TRUE). 

Case  4.  (IMPLIES 
(AND 
(NUT 

(LESSP  (SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (<3(J0TE  SECURITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCATS)  NIL ) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

,  (CONS  (QUOTE  ND)  NIL) 

V  (STATE*)) 

(CONS  (QUOTE  SECURITYCATS)  NIL) 
(STATE*)) 

(STATE*)) 

(NOT 

(LESSP  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE*)) 

(STATE*)) 


/ 


<n  chk*juk>sm  ;< .  UR  13  "L  e .  2 


ue  l-Jan-PO  11:37PM 


Page 


(U5SP 

(select  (tirri*) 

(CONS  (QUOTE  *JO) 

(COHS  (QUOTE  SSCURTTYLEVEL)  NIL)) 
(STATE*) ) 

(sele:^  am*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SSCURTTYLEVEL)  NIL)) 
(STATE*)))) 

(NOT 

(LESSF 

(SELECT  ( LT 1 1*  ) 

(CONS  (QUOTE  SD) 

(C DNS  ( QJOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  C-TTT*) 

(CONS  (QUOTE  NO) 

(CONS  (QJOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*))))). 


Hut  tnis  aqaln  sinnlif ies/  rewriting  with 
ASSOCIATIVITY. CS1. SELECT/  CAR. CONS/  and  CDR.CONS/  and 
expanding  the  'unction  APPEND/  to: 


case  b  . 


(THUS) . 

(IMPLIES 

(AND 

(NOT 

(LESS?  (SELECT  (SELECT  (hTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECUPITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECUPITYLEVEL)  NIL) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SEC JRITYC ATS)  Nlu) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCATS)  NIL) 
(STATS*)) 

(STATE*)) 
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(  NGT 

(LESSP  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO )  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIu) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATS*)) 

(STATE*)) 

f  I  y  s p 

(SELECT  C-TII*) 

(CONS  (QUOTE  ilD ) 

CONS  (QUOTE  SEC JRTTYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  (LTII*) 

(CONS  (QUOTE  ND) 

CONS  (QUOTE  SECJRITYLEVEL)  NIL)) 
(STATE*))) 

(HOT 

(LES3P 

(SELECT 

(LTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT 

c-'tti*  ) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)))) 

(SUBSET 

(SELECT  (LTII*) 

CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATS*)) 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATS*)) 

(STATE*))) 


A 


/ 
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(  NUT 
(SMoSLT 

( SELECT  (LTII* ) 

(CONS  (77071?  >]D) 

(CONS  (QUOTE  SECUP.ITYCATS)  NIL)) 
(STATE*) ) 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECURITYCATS)  NIL)) 
CTATE*) ) 

(STATE*)))), 


wmcn  we  again  simplify,  applying  ASSOCIATIVITY. OF. SELECT, 
Cak.C’JNS,  and  OR. CONS,  and  expanding  the  function  APPEND, 
to: 


(TRUE). 

case  p.  (IMPLIES 
(AND 
(NOT 

(LESS?  (SELECT  (SELECT  (HTII*) 

(CONS  ( QUOTE  ND )  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLEVEL)  WlL) 
(STATE*)) 

(SELECT  (SELECI  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

CONS  (QUOTE  SEC JRITYCATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCATS)  NIL) 
(STATE*)) 

(S?A*E*)) 

(  NOT 

(LLSSP  (SELECT  (SELECT  (LTII*) 

(CflNS  (QUOTE  ND)  NIL) 
(STATE*)) 

CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGPITYLEVEL)  NIL) 
(STATS*)))) 
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(SUBSET  <5~LEC7  (SELECT  (LTII*) 

(CONS  (QUOTE  HD)  NIL.) 
(STATS*)) 

(CONS  (QUOTE  INTSG' ITYCATS)  HIL) 
(STATS*)) 

(SrLpCT  (SELECT  (;1TIT*) 

(CONS  (QUOTE  \'D )  NID 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE*)) 

(STATE*)) 

(LFSSP 

(SELECT  (HTI I* ) 

(CONS  ( Q J 0 T E  ND ) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  (LTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*))) 

(  NCT 
(LESS? 

(SELECT 

(LTII*) 

(CONS  (QUOTE  ND ) 

(CONS  (QJ0T5  INTEGRITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT 

(HTTI* ) 

(CONS  (QJOTE  N) ) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)))) 

(SUBSET 

(SELECT  (LTII*) 

(CONS  (QUOTE  ND ) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) ) 
(STATE*)) 

(STATE*))) 

(SUBSET 

(SELECT  (LTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECJRITYCATS)  NIL)) 
(STATE*)) 

(SELECT  ("TTI*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECJRITYCATS)  NIL)) 
(STATE*)) 

(STATS*))), 
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•wnicn  again  si^p  li 'les ,  applying  ASSOCIATIVITY. OF. SELECT, 
CAK.cons,  ani  CIR.CQMS,  an<?  opening  up  tne  definition  of 
APHtND,  to: 

cr»u5). 


Case  7.  (IMPLIES 
(AND 


(NOT 

(LESSP  (SELECT  ( SELECT  (HTII*) 

(CuVS  (QJDTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECUQITYLEVEL)  AIL) 
(STATE*)) 

(SELECT  (SELECT  (LTT I *) 

(CCNS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  3&CUPI TYLEVEL)  NIL) 
(STATE*)))) 

(SUBStT  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SEC  I R ITYC ATS )  NI-) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*) ) 

(CONS  (3UGTE  SECURITYCATS)  NIL) 
(STATS*)) 

(STATE*)) 

(NnT 

(LESSP  (SELECT  (SELFCT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  I NT EGR I TYLEVEL)  NIL) 
(STATE*)) 

(S?LPCT  (SELECT  (HTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (')UCTE  INTEGHITYLEVEL)  NIL) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIu) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATS*)) 

(STLECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATS*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE*)) 

(STATE*)) 
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(LESS? 

(SELECT  (HTIT* ) 

(CONS  (QUOTE  MO) 

(CONS  (QUOTE  SECJRITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  (LTI I* ) 

(CONS  (QUOTE  MD) 

CONS  QUOTE  SECUkTTYLEVEL)  NIL)) 
(STATE*))) 

(NOT 

(LESS? 

(SELt::m 

(LTII* ) 

(CONS  (QUOTE  NO) 

(COM3  ( QUOTE  INTEGRITYLEVEL)  NIL)) 

(TTATE*)) 

(SELECT 

(  ;!  T 1 1  *  ) 

(CONS  (QUOTE  ND) 

(CONS  (QJOTE  INTEGRITYLEVEL)  NIL)) 

(STATE*))))) 

(SUNSET 

(SELECT  (LTII*) 

CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(SELECT  (HTII*) 

CONS  (QJOTE  S3) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(STATE*))), 

wntcn  again  sirr-pli^ies,  applying  ASSOCIATlVITY.Or.SELa.CT, 
can. cons,  and  CD?. CONS,  and  unfolding  Append,  to: 

(TRUE) . 


v. 


■w 
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Case  d.  ( 1‘fFLIES 
(  ANO 
( KGT 

(LESS?  ('ELECT  (SELECT  (HTII*) 

(COWS  ( QUCTF  XO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECUSITVLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(COWS  < TJHT T  cl D)  NIL) 
(STATE*)) 

(CONS  (WOTS  SECJP.ITYLEVEL )  NIL ) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTIT*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCAT5 >  NIL ) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QJQTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCATS )  NIL) 
(STATS*)) 

(S^A’I’E*)) 

(NOT 

(LSS3P  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTFGPITYLEVSL)  NIL ) 
(3T  ATS*  )  ) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL ) 
(STATE*)) 

(CONS  (QUOTE  INTEGPITYLEVEL)  NIL) 
(STATE*)))) 

( SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (.QUOTE  ND)  NIL) 
(STATS*)) 

(CONS  (QUOTE  ZNTEGPITYCATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTSGPI*YCATS)  NIL) 
(STATE*)) 

(STATE*)) 

(NOT 

(LESSP 

(SELECT  (HTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECUkITYLEVEL)  NIL) ) 
(STATE*)) 
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(select  am*) 

(cons  (quote  un) 

(CONS  (QUOTE  SECURITY  LEV  EL)  NIL)) 
(STA'E*))))) 

(Ml.T 

(LF3SP 

(SELECT  ( [ T 1 1  *  ) 

CONS  (QJOTE  V)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
( rT  AT- *  ) ) 

(SELECT  (tiTTI*) 

CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYLEVEL )  OIL  ) ) 
(STATE*))))). 

However  this  again  simplifies/  rewriting  with 

ASS  JCiATlViTY«r|F  •3FL7C?/  CAR. TENS/  and  CDR.CQNS/  ar\u 

opening  up  append,  to: 

(CRUS) . 

Case  y.  (IMPLIES 
(ANO 
(NOT 

(Lr.SSV  CELcCT  (SELECT  CTII*) 

(CONS  (QUOTE  ND)  NIL) 

^  (STAT?*)) 

(CONS  (QUOTE  SE.CURI T YLEVEL )  .4 1 L ) 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLSVEL)  NIL) 
(STATE*)))) 

(SUBSET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (3UQTE  SECURITYCATS)  .HL) 
(STATE*)) 

(STATE*)) 


V 


( NOT 
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(L.-.S^P  (3ELCC?  (SEL"CT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLLVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QJOTE  NO )  NIL) 
(STATE*)) 

(CONS  QUOTE  INTEGRITYLEVEL)  JTL) 
(STATE*)))) 

(S'tjSLT  (3~LECT  (SELECT  (LTII*) 

(CONS  QUOTE  NO)  MIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 

( ST AT£*) ) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE*)) 

(STATE*)) 

(  NOT 
(LESSn 

(SELECT  (HTII*) 

(CONS  QUOTE  NO) 

(CONS  (QUOTE  SECURITY LEVEL)  NIL)) 
(STATE*)) 

(SELECT  (LTII*) 

(CONS  QUOTE  ND ) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)))) 

(NOT 
(LESS? 

(SELECT 

(  L  T  T I  * ) 

(CONS  (GUO IE  VD) 

(CONS  (QUOTE  INTSGRITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT 

(HTII*) 

(CONS  QUOT8,  NO) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATS*)))) 

(SUBSET 

(SELECT  (LTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(SELECT  (HTII*) 

(CONS  (QUOTE  HD) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(  (STATE*)) 

(STATE*))) 
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( SELECT  (LTII*) 

(TCMS  (PJOTF  MD ) 

(CON’S  (QUOTE  SECURITYCATS)  MIL)) 
("TATS*)) 

(SELECT  (HTII*) 

(TOMS  (OJCTE  NO) 

(CONS  (QUOTE  SECURITYCATS)  NIL)) 
(STATE*)) 

(STATE*)))/ 


wrucn  again  si>rp  li* ies/  rewriting  with 
AS&uciATiViTY. OF. SELECT/  CAR. CONS/  and  CDR.CONS/  and 
opening  up  APPEND/  to: 

(TRUE). 

Case  lu  •  ( IMPLIES 
(AND 
(  NOT 

(LESS?  (SELECT  (SELECT  (HTI I*) 

(CONS  (QUOTE  ND>  NIL) 
(STATS*)) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  MO)  VIL) 
(STATE*)) 

(CONS  (OJCTE  SECd RITYLSVEL)  NIL) 
(STATE*)))) 

(SUPScT  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SEC’JRITYCAIS)  NIL) 
(STATS*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QJOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCATS)  NIL) 
(STATE*)) 

(STATE*)) 

(NOT 

(LESS?  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NC)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGF.ITYLEVEL)  .IIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QJOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGPITYLEYEL)  NIL) 
(STATE*)))) 
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(S'JtSLT  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  \'D)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTIT* ) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

CONS  (QUOTE  INTSSPITYCATS)  NIL) 
(STATE*)) 

(STATE” )) 

(NOT 

(LESSP 

(SELFCT  (HTII* ) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(  S'r  ATE*) ) 

(SELECT  (LTII* ) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*) ) ) ) 

(NOT 

(LESS0 

(SELECT 

(LTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  1UTEGRTTYLEVEL)  NIL)) 
(STATE*)) 

(SELFC* 

(HTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*))))) 

(SUBSET 

(SELECT  (LTII*) 

(CONS  (QUOTE  NO) 

CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(SELECT  (.HTII*) 

(CONS  (QUOTE  NU) 

CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*)) 

(STATE*))). 

But  mis  again  simplifies#  rewriting  with  the  lemmas 
A33UC1ATIV1TY. OF. SHLCT/  CAR. CONS,  and  CDR.CONS,  and 
opening  up  APPEND,  tc: 


(TRUE) 
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( 


Case 


11. f l"i  LI  IS 


(  ASM 

i  an? 


(LE3SP  (SELECT  (SELECT  (HTII*) 

(CON'S  (OJOTE  N3 )  MIL) 
(STATE*)) 

(CONS  (QUOTE  SECUEITYLEVEL )  ML) 
(STATE*)) 

( EELFCT  (SELECT  (LTTI*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SEC URITYLEVEL)  NIL) 
(STATE*)))) 

(S'fF SET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(SONS  (QUOTE  SEC JRTTYCATS )  NIL) 
(STATE*)) 

(S~Le'CT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SF.CURITYCATS )  NIL) 
(STATE*)) 

(S-ATE*)) 


(  N^T 


(Lc-SSH  (S:-LCCT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIl) 
(STATE*)) 

CONS  (QJOTE  INTSGRITYLEVEL)  NIL) 
(STATE* ) ) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGPITYLEVEL)  NIL) 
(STATE*)))) 

(NUT 


( SJ rt SET  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCAIS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL) 
(STATE,*)) 

(STATE*))) 


(  NCT 

(LiSSP 
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(SELECT  fHTII*) 

(cons  (quote  r;o  > 

(CONS  (QUOTE  SECURITY LEVEL)  MIL)) 
(STATE*)) 

(SELECT  (LTII*) 

(C°NS  (QUOTE  MO) 

(CONS  (QUOTE  SECURITY LEVEL)  MIL)) 
(STATE*)))) 

(NOT 
( LESS P 
(SELECT 

(LTII*) 

(CONS  (QUOTE  VO) 

(CONS  (QUOTE  INTLGRITVLEVSL)  MIL)) 
(STATE*)) 

(SELECT 

(HTII* ) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)))) 

(S'lPSET 

(SELECT  (LTII*) 

(CONS  (QUOTE  UD) 

CONS  (QOGTE  INTEGRITYCATS)  MIL)) 
(S^ATE* ) ) 

(SELECT  (HTII*) 

(CONS  (QUOTE  MD) 

(CONS  (QUOTE  INTEGRITYCATS)  NIL)) 
(STATE*) ) 

(STATS*) )) 

(NOT 

(Sl'bShT 

(SELECT  (LTII*) 

(CONS  (QUOTE  XD) 

(CONS  (QUOTE  SECURITYCATS)  NIL)) 
(STATE*)) 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND ) 

(CONS  (QUOTE  SECURITYCATS)  MIL)) 

'  (STATE*)) 

(STATE*)))), 

wmcn  we  again  simplify,  applying  ASSOCIATIVITY. OF. SELECT, 
car. cons,  and  CDR.CONS,  and  expanding  the  definition  of 
append,  to: 


(THUS) 
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case  12* ( implies 
(Af:o 
(  NOT 

(LESS?  (SELECT  (SELECT  (!>TII*) 

(CONS  (QUOTE  NO)  MIL) 
(STATS*)) 

(CONS  (G'JOTE  S2CUPITYLEVEL)  NIL) 
(STATE*)) 

(SELFCT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL) 
(STATE*)))) 

(NOT 

(SUB5LT  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  NO)  NIL) 
(STATE*)) 

CONS  (QUOTE  SECURITY: ATS)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUO*t  SECURITYCATS)  MIL) 
(STATE*)) 

(S TA*E*))) 

(LESSP  (SELECT  (SELECT  (LTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  ND)  NIL) 
(STATE*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL) 
(STATE*))) 

(NOT 

(LESS? 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  (LTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECURITYLEVEL)  MIL)) 
(STATE*)))) 

(NOT 

(LESS? 

(SELECT 

(LTII*) 

(CONS  (QJOTE  NU) 

(CONS  (QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)) 
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(SELECT 

(HTII* ) 

cons  (quote  vj) 

(CONS  ( QUOTE  INTEGRITYLEVEL)  NIL)) 
(STATE*)))) 

(SUBSET 

(SELECT  f LTIT  *) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  1NTEGPITYCATS)  NIL)) 
(STATE*)) 

(SELFCT  (iiTII*) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  IVTEGPITYCATS)  NIL)) 
(STATE*)) 

(STATE*))) 

(NOT 

(SUBSET 

(SELECT  (LTI I* ) 

CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECUSITYC ATS )  NIL)) 
(STATE*)) 

(SELECT  (HTII*) 

CONS  (QUOTE  NO) 

(CONS  (QUOTE  SECUPITYCATS)  NIL)) 
(STATS*)) 

(STATE*))))/ 

wmcn  we  again  sinplify/  rewriting  with 
AssuCiATIVITV.nF.SFLSCT/  CAR. CONS/  and  COR. CONS/  and 
untoiding  the  function  APPEND/  to: 

(TRUE). 


1. 
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case  l'J.  (  ivplISS 
(AMO 
(  NOT 

(LESS-1  (SELECT  (SELECT  (HTT I* ) 

(CONS  (QUOTE  ND)  VII.) 
(STATE*)) 

(CD N 3  ( QUOTE  SECURITYLEVEL)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (LTTI*) 

(CON S  ( QUOTE  HD)  NIL) 
(STATE*)) 

(CONS  (QUOTE  S&CURITYLEVFL)  NIL) 
(STATE*)))) 

(  NOT 

(SUbSET  (SELECT  <3FLCCT  (LTII*) 

(CONS  (QUOTE  ND)  MIL) 
(STATS*)) 

(CONS  (QUOTE  SECURITYCAT3)  NIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  MD)  MIL) 
(STATE*)) 

(CONS  (QUOTE  SECURITYCATS)  MIL) 
f  (STATE*)) 

•  (STATE*))) 

(NOT 

(LESSP  (SELECT  (SELECT  (LTIT*) 

(CONS  (QUOTE  ND)  NIL) 
(STATS*)) 

(CONS  (QUOTE  INTEGRITYLEVEL)  MIL) 
(STATE*)) 

(SELECT  (SELECT  (HTII*) 

(CONS  (QUOTE  MD)  MIL) 
(STATE*)) 

(CONS  (QJOTE  INTEGRITYLEVEL)  NIL) 
(STATE*)))) 

(NOT 

(LESSP 

(SELECT  (HTII*) 

(CONS  (QUOTE  ND) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)) 

(SELECT  (L-II*) 

(CONS  (QUOTE  HD) 

(CONS  (QUOTE  SECURITYLEVEL)  NIL)) 
(STATE*)))) 


:35 


(  NOT 
(LESSP 


}  <!«CPP00F>S!<x.nRiajL'=:.2  ?ua  1 -Jan-80  ll:r/PM  Pase  1:36 


(SELECT 

(L?TI*) 

( "CVS  ( "JOT?  M)) 

(CONS  (QUOTE  INTEORITvLr.VEL )  ‘.’IE  ) ) 
(STATE*)) 

(SELECT 

(  !?TI*) 

(''3N5  (QUOTE  NO) 

(CONS  (QUOTE  TNTEGRITYLEVEL)  MIL)) 
(STATE*)))) 

(SHR SET 

(SELECT  (LTII* ) 

(cons  (ouaTE  Mn) 

(CONS  (QUOTE  INTEGRITYCATS)  MIL) ) 
(STATE*) ) 

(SELECT  (HTI I* ) 

(CONS  (QUOTE  NO) 

(CONS  (QUOTE  INTEGRITYCATS)  MIL)) 
(  STATE*)) 

(STATE*))) 

(NOT 

(SUL-Sc-T 

(SELECT  (LTTT*) 

( "QMS  (QUOTE  ND) 

(CONS  (oynTE  SEOURITYC ATS )  NIL)) 
(STATE*)) 

(SELECT  (.mi*) 

(TONS  (Q'JOTF  NO) 

(CONS  (OUOTE  SECUPITYCATS)  NIL)) 
(STATE*)) 

(STATE*)))). 

Put  tnis  stn.nliii.es  again/  applying 

ASSOCIATIVITY. UF.5"LrCT/  CAR. CONS/  and  CDR.CDNS/  and 
opening  up  the  definition  of  APPEND/  to: 

(TRUE). 


q  .  t:  *  u . 

Load  average  during  proof:  2.P5C366 
Elapsed  tme:  113.577  seconds 

ceu  time  (devoted  to  theorem  proving):  43.741  seconds 
GC  time:  M.887  seconds 
10  tine:  7.2b7  seconds 
CUNSas  consumed:  89301 


PKOVKU 
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_JNJ J.bACK  . ‘JU'o  ( I  i  J  7. TO.  0  J T.-  I  T  ) 

UPKUVh.l.J-v>M  Cuf^LJ-TN  N I  f.  (•  <UAL  (A"D  (AM)  (ANT  (MjT  ( 
UrtKAfcKP  (Sc.L-rr  (SELECT  (LCII*)  (OUQTS  (NO))  (STATE:*))  ( 
QUOTE  (  Sr,  LU  F  TT  ¥  LF  V  JL  )  )  (STATE*)  )  (SELECT  (SELECT  (  !TII*)  ( 
QJUTS  (HD))  (STAT.-.*))  (r.'.'CTE  (  5E  C'!?I  "'YLEVEL) )  (STATE*))))  ( 
SUBSET  ( S'ELf  C'T  (STL"'.’!  (LTII*)  (QUnTp  (NO))  (STATE*))  QUOTE 
(SELUKlTYCAia))  (STATE*))  (  SELECT  (  SELECT  (HTII*)  (QJOTF.  ( 
NO))  (STATE*))  QIQT"  (  SEC;)  Hi  TYS  ATS)  )  (STATE*))  (S7AT-*) ) )  ( 
NUT  (LfcSSP  ( S:.LLC?  (SELFCT  (LTII*)  (QUOTE  (NO))  (STATl*))  ( 
HUUns  (  IN  Ti»:  PI T  ¥[,  E  VE  L)  )  (STATE*))  (SELECT  (SELECT  (HTII*)  ( 
yjUTE  (*>'')))  (STA^E*))  (QUOTE  ( INTEGRI TYLE  VSL  ) )  (STATE*))))) 
(SUBSA.T  (SELECT  (STL-C'  (LTII*)  QDOTF  (ND))  (STATE*))  ( 
QUUTK  (  Art  T  a'G  F  i  TY  CATS  )  )  (STATE*))  (SELECT  (SELECT  (HTII*)  ( 
t)u  UTt,  (NU))  (STA"5*)>  (QUOTE  ( INTEGRI TYC  AT  S )  )  (STATE*))  ( 
STATE*))!  ON)  (*.’UT  (G’E'-TER3  (SELECT  (LTII*)  (QUOTE  (NJ 

skcukitylevel) )  qta*:-:*))  (select  (htii*)  (quote  (no 

SECUK1T VLEVEL) )  ( 3TA"E*) ) ) )  (SUBSET  (SELECT  (LTII*)  ( QUOTE  ( 
NJ  SKCUXITYC STS) )  ( S^ATE*)  )  ( SELECT  (HTII*)  ( QUCTE  (N) 
SKCUkITYC^T 3))  (STATE*))  (STATE*))  ( NCT  (LESSP  (SELECT  ( 
LTII*)  nun-iv;  (HP  TNTEQFITVLFVEL))  (STATE*))  (SELECT  (UTII*) 
I QUUTfc.  (NU  IN  rSGXITYLEVEL ) )  (STATE*))))  (SUBSET  (SELECT  ( 
LTII*)  ('»UUTK  (NO  TfI"f.*5RITYCA7S>)  (STATE*))  (SELECT  (HTII*) 
(QUUTE.  (NU  INTEGomCATS))  (STATE*))  (STATE*)))))  (COMMENT 
INPUT.  TU. OUTPUT) ) 


(  _CUM'*ENT(  STATE  .  EQUIVALENCE) 
ST  ATE. EQUIVALENCE 


AUO.  AX1Q*  (HYPOTHESIS 
(RS.vNirO) 

(AND  (EUUAL  (SUP  SET  X  Y  ( NEWS TATE  )  ) 

(SUBSET  X  Y  (STATE))) 

(EQUAL  (SELECT  STRICTURE  FIELD  ( NEWSTATE) ) 
(SELECT  STRUCTURE  FIELD  (STATE))))) 

HYPUTHES1S 


^t'pavt.L (:oncl”s:ov  nil 

( AND  (EQUAL  ( SUBSET  VI  V2  (NEW3TATE) ) 
(SUBSET  VI  V2  (STATE))) 
(EQUAL  (SELECT  VI  V2  (NE-vSTATE)) 
(SELECT  VI  w2  (STATS))))) 

Tnis  conjecture  can  be  propositional)  y  simplified  to  two 
new  rormuias: 

case  1.  (EQUAL  (SHl'SET  VI  "2  (-.••/.'STATE)) 

(SID’S'  T  VI  72  (FI  ATE))). 

Tfus  simplifies/  applying  tbe  lemma  HYPOTHESIS/  to: 


(TRUE) 
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Case  2.  (EQUAL  (SELF^T  V!  72  (SEV3?A?£  ) ) 

(SELECT  VI  V2  (STATE))), 

wnicn  vi  slnpiify,  rewriting  vita  HYPOTHESIS,  to: 
(THUS). 


U.E.U. 


Load  average  during  oroof:  2.05"3b6 
Elapsed  tine:  seconds 

CPU  time  (devoted  to  theorem  proving);  .342  seconds 
UC  time:  O.Q  seconds 
1U  time:  .303  seconds 
CUNbes  consumed:  261 


PROVED 


_U  NUQ.  d  AC  K  .THROUGH  (STATE  .SQ:JI  7  ALE  MCE  ) 

(( PPUVE.LEMM A  CONCLUSION  NIL  (AND  (EQUAL  (SCTSET  VI  V2  ( 
NE^ST ATE))  (SJB5ST  VI  72  (STATE)))  (SQJ AL  (SELECT  VI  V2  ( 
NfcVtST  ATE )  )  (SELECT  VI  V  2  (STATE)))))  (ADD.  AXIOM  HYPOTHEC  IS  ( 
REWRITE)  ( AND  (EQUAL  (SUBSET  X  Y  (NEVSTATL))  ( SUBSET  X  Y  ( 
STATS)))  (EQUAL  (SFi.FC'  STRICTURE  FIELD  (N-wSTATE))  (SElECT 
STRUCTURE  FIELD  (STA^E ) ) )  )  )  (CWENT  ST  ATE .EQUIVALENCE ) ) 


_U  NUU. t?  AC  K.  THKOuCH  (CORRECTNESS. OF. SMXCOMPA  RE) 

<(DCL  L  T I  *  )  (OCL  HT II*)  (COMMENT  CORRECTNESS.  OF.  S MXCOMP ARE) 
) 


_J  fU  U.  t)  AUK.  THROUGH  ( 

Cukkec l‘Nt SS»  OF  . THE . I'^PLFU ENTATIQN. OF.  SMXCOMP  ARE.MQOULE. ON  .FRI^ITlVcMODOLs 
) 

((AUU.AXIUM  ASSOCIATIVITY. OF. SELECT  (REWRITE)  (EQUAL  (SELECT 
(SELECT  S  PI  STATE)  P2  STATE )  (SELECT  S  ( APPEND  PI  Pi) 

STATE)))  (  Ai  •).  AXrUM  !Opf.'T  ITY.  OF  .  SELECT  (REWRITE)  (En  UAL  ( 

SELECT  S  Ml  STATE )  S) )  (DCL  SMXCOMPARE  (LTII  HTII  STATE))  ( 

DCL  SELECT.  RECORD  (  5  mS  J  C  TU  :RE  F I  EL  0  STATE))  (')CL  SUOStTOr  (X 
Y  STATE))  (UCL  QUOTED?  (X  STATE)  )  (DCL  ANDO5  (X  Y  STATE))  ( 

UCL  UKUP  (X  Y  STATE))  (DCL  LrSSO  REQUALQP  (X  Y  STATE))  (JCL 
UKEATEHUHcQUALQP  (X  Y  STATE))  (DCL  NUKPERPOP  (X  STATE))  (DCL 
J  IKE  tKENCKbP  (X  Y  S’7  ATE)  )  OCL  P-USOP  (X  Y  STATE))  (jCL 
AUUlup  (X  STATE))  (OCL  LES3PQP  (X  Y  STATF.))  (UCL  GREA  TF.vPOP 
(X  Y  STATt))  (OCL  7SR0P0P  (X  STATE))  (DCL  NE^UALOP  (X  Y 
STATE))  (UCL  EQUAL  OP  (X  Y  STATE))  (DCL  UNDF.FOP  (STATE))  (DCL 
FALSE  UP  (STATE))  (JCL  TRUF,OP  (STATE))  (DCL  SELECT  ( 

STRUCTURE  FIELD  STATE))  (DCL  SUBSET  (X  Y  STATE))  (DCL  ’MX?  ( 

STATS))  (DCL  LEWS!  AT  c )  (DCL  PSClfJ)  (DCL  STATE* )  (DCL  STATF) 

(COMMENT 

CUKKECTNSSS.Dp’  .THE. I  "PLEMENTA7ION.OF.S^XCOMPAREMOOULE.ON.PRI,,ITIVEMODULE 

)) 


